@MobilXperts Admin has joined the channel
Odd. Did Sentry 7.6+ lose it’s ability to trust multiple CAs?
7.6: • Support for multiple trusted root certificates for device authentication
Built 2, adding them both to 1 Sentry
No specific reason ATM - But I’ve dealt with shops that wanted a different CA for each type of service - e.g Email, Tunnel, WiFi, etc
@ericwoodland uploaded a file: Pasted image at 2016-07-22, 3:57 PM
Instead of doing it on the Sentry why not push it on to the device as configuration item.
Well, that’s the other half of it
But if they are using one Sentry for more than one purpose with different issuing CAs, then this would accommodate that
We issue WiFi Identity Certs from multiple Cores (DEV/QA/PROD)
and the ASA needs to be able to trust a cert/build VPN from any of the CAs sitting on each Core
So in that case, we provide each CA identity up to the Cisco ASA
In this case, I’m basically doing the same thing - Saying I’ve got one Sentry, but it could accept connections from devices using other environments, etc
I think the best use case would be what I mentioned up above.. I’ve got a DEV Core where I’m testing XYZ, but need to point the device to a single Sentry that has access to the web server/email server I’m trying to test, etc.
Or something. Probably best discussed over beer
@jaimin.s uploaded a file: Spotted cow and commented: Cooling in the fridge
From our call, a quick summary, the issue was the devices on the internal "m' wifi network (I think that's the name) would fail to get the keberos token and no requests were seen on the KKDCP.
After multiple test scenarios, we found that since the device was not using an external DNS (i.e. google 8.8.8.8), instead used their normal Blackstone DNS server, the device never resolved the KKDCP and therefore never sent traffic to it.
Once we manually added an external DNS server to the device, it then was able to resolve the KKDCP and authenticate to the target web site.
So the next steps will be Jaimin and team will try to add the Srv records to their DNS server to see if that will also work.
On the Mobileiron side, we will be following up with engineering/dev to reconfirm what we are seeing is the expected behavior or not.
Okay - So was the device able to communicate with a DC from the WiFi segment it was on?
yep - on the one where we didn't restrict 88 it was
Hence eliminating the need for a proxy?
But what they are indicating is that the proxy is needed regardless - Right?
But we want all of the devices going through the KKDCP vs. devices hitting the KDC directly
I think that’s going to jack with other devices looking up the _Kerberos SRV records internally. Not a big deal if you don’t mind them using the Proxy, but they’ll definitely be heading that way
We'll limit it so that only the devices on the M network go through that DNS which have the proxy defined.
Lucky you’re in a position to do that
After a lot of head butting, finally convinced them.
Just don’t have the resources/time in that department
They’re almost continually playing catch-up
@matt.proudfoot has joined the channel
Anyone presently working w/ iOS SSO/Kerberos Proxy?
Is it possible to force iOS update thru MI using Core 8.5 on premise?
The way you would like.... No. However you can set your minimum iOS version to the latest version through your security policy and that would be a rude way of forcing people to update. 😉
@channel - Anyone know if applying a Label in Core based on DEP Profile is possible? Looking at the 9.1.0.0 preview and I still don’t see anything in there for that.
Have you guys ran in to this issue?
User goes to MI App Store - Requests App - The "Requesting.." pop up shows, then disappears and nothing happens.
On iOS.
Clear browser cache and try again. You are talking about the Apps@Work web clip?
Did that and re-enrolled device, and check the provisioning profiles.
What's the device say on the console log from XCode or Configurator?
Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuerparent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad securityd[92] <Error>: itemsmatchingissuer_parent items matching issuer parent: Error Domain=NSOSStatusErrorDomain Code=-25300 "no matching items found" UserInfo={NSDescription=no matching items found} Aug 16 11:42:51 Jaimins-iPad MobileSafari[228] <Error>: SecTrustEvaluate [root AnchorTrusted] Aug 16 11:43:16 Jaimins-iPad ondemandd[161] <Error>: -[ODRBackgroundMaintenance startBackgroundMaintenanceOperations]
Not really telling - I've seen this before if there is an existing version installed, however not the case this time.
Odd. What do the MDM logs say for this device?
Of all the things to not dick with
But i still have 100 device in DEV that now need to be re-enrolled
Yeah, expiration on Apple’s side is one thing.. yanking it from the Core is another
I’m just going to suggest a demotion here, you know… to help troubleshoot the overall issue
Anyone know if it’s possible to allow MobileIron Core to authenticate using UserID or Email address?
I recall this worked back in the day, but I think it has since been removed
I need Email or SAMAccountName for DEP and Secure Sign-In
Yeah. That limitation does stink but understandable for DEP. I was pushing for PIN based registration until I found that out at MFC this year.
Have you tested PIN-based DEP enrollment @onires53? Didn't think it existed
No it doesn't exist. Now that we are DEP, pin based is out of the question.
Yeah, that makes sense. PIN based registration is a MobileIron protocol, not Apple.
How are you guys handling disabled AD accounts and retiring devices?
That Assemble script that's out there on the MI repository
@jaimin.s: We use what @MobilXperts Admin mentioned. We are configured to retire any device that has not checked in for 60 days + every Sunday afternoon. And then we have Core configured to delete retired devices daily for devices that have been retired for 1 day
In terms of Audit, do you just reference the Assemble/Core logs for the retire/delete actions?
We reference Core logs yes @MobilXperts Admin
Has anyone ran into any issues with Enterprise WiFi and iOS 10 devices? We are having a lot of users losing internal wlan connectivity. We haven't been able to reproduce on any of our iOS devices though.
Hmm - We haven’t approved iOS 10, but on our test devices we’ve had success thus far
Been able to capture any device logs from the individuals reporting it? Guessing not since they are remote
Not yet. We are gathering User Id's reporting this to see if it's hardware specific.
Yeah - that’s an odd one. The last thing in the world I’ve seen during a Mobile OS upgrade is an issue w/ drivers or hardware connectivity
Possible a SCEP/Cert issue coincidental, looking into it
@macbentosh uploaded a file: fullsizeoutput_3a3.jpeg
Yes. Polaris needs access out to validate the embedded license
Yes. The ACLS/urls are in the knowledge base articles.
anyone have any good handouts or what on how you sell this to your Doctors/users?
To answer your question from yesterday @macbentosh -
From page 14 of https://community.mobileiron.com/docs/DOC-5918
is the Lic included with our Docs@ work from MI?
MI Licenses Polaris for D@W across the board. It isn’t broken up individually for each customer
So, to answer your question - Yes, it is included in your Docs@Work license from MI
Sorry - Forgot to send that earlier
@macbentosh uploaded a file: Screen Shot 2017-05-19 at 3.33.17 PM.png
We will be next week. I'll check which specific version of 9 we have pending install
We got our QA boxes up to 9.0.2 this week
We are getting ready to put one of our QA Sentry's up to 9.1 beta. Excited for ActiveSync v16 support and the ability to point to multiple Exchange environments with a single Sentry.
It does support it but downgrades the protocol. We already on O365 so we are good there. The full v16 support, supposedly comes on 9.1. Calendar attachment support. 😎
Yeah, calendar attachment support will be handy to have. Eliminates a hell of a lot of pre-meeting emails.
Anyone here dabbled into AppleTv configurations with Apple Configurator and Mobile Iron?
Not yet. What specifically are you working towards?
Basic configuration capabilities. I'm having issues with Configurator not recognizing the enrollment profile and trust profile that was exported
Interesting. Coming from a Core w. the usual settings (Publicly trusted SSL certs, etc)?
If you attempt the same approach and load that same MDM management profile to Configurator for an iOS device--Does it behave any differently? Curious if it is anything specific to the AppleTV component, or just Configurator not playing well with that Core in general
Haven't tried that yet. I know "official" AppleTV support is in 9.4, so I might look at upgrading our test environment, then trying again
Yeah - I hate blasting a box just to try a preview version, only to have to blast it again to go to the GA release
Suppose it depends how soon you need results
I plan on waiting. GMRC for 9.4 was available last week, so it's only a matter of days until the official release
Ah, nice. I missed that notification upon arrival back. Email avalanche
anyone able to help with a per app vpn or app specific tunnel?
when I add a new vpn config and select the connection type as mobileiron tunnel i can not select a sentry
any issues using the same scep cert for apptunnel and tunnel?
No - downside is if you were to make changes to the cert both services would be impacted.
see anything weird as to why this isnt working for a docs@work config?
AUTOFILL_CREDENTIALS : {“default”:“cmc\$USERID$“}
@here FYI update your DEP tokens after upgrading to MobileIron Core 9.5, if you are coming from version 8.x.
If you’ve generated new tokens since upgrading to Core 9.x, you should be good. However, if going from 8.x to 9.5, you’ll need to renew them once the upgrade has completed.
@Jonathan Henson did you receive confirmation if the M@W 9.5.0.0 client addressed the issue you were seeing with LG v20 units in Android Enterprise?
I haven't reached out for confirmation. Working through audit issues this month and the workaround of setting a password on the AFW container has kept the three problem devices working.
Nice to hear there wasn’t too much grumbling about the password on the AE profile, at least for now.
Hopefully you can remove the requirement once you’ve had time to test the newer client
@Simon Hardy-Bistagne has joined the channel
anyone know a way to make a label based on an app inventory
Hmm, unless a custom attribute could be created to identify a specific app in which you can then apply to the label, I’m not sure
i wish like in jamf I could advertise configurations in the apps at work
Perhaps that would be more of a workflow via ServiceNow than something offered directly inside Apps@Work
I do think long-term it would make sense to have a “Services” sub-menu, etc.
@macbentosh you could probably assign a label based on App identifier (bundle ID) inside Assemble
I keep hearing this assemble. Never used it.
Powerful when it actually works with latest Core releases 👍:skintone2:
Used it a couple weeks back for a LDAP migration. Retire & Delete user for anyone in a particular label was incredible.
Is there a kind of repository of MI Assemble scripts for various purposes? (I’m not such a fan of reading the API guides, rather play around with examples)
Anyone know how to check history of an exchange server going down…Had one have an issue on Saturday and server team is blaming mobileiron for the issue.
Sentry could have if it were configured to offload, but it does not natively retain anything that far back.
I’m curious - Why are they blaming MobileIron for taking down their server? That’s kind of absurd.
Due to re-install of an Exchange configuration? So, is that the team’s way of saying their back-end CAS servers aren’t capable of handling the load?
they took both CAS servers out at the same time
I'm lost - so are they saying MI took the CAS down when they obviously did themselves or ..?
Perhaps it failed to perceive that Server A was back up before they rebooted Server B
So, the first thing I would do (if I were the owner of a CAS server before rebooting server B) is check Server A to see if loads of incoming sessions were arriving from the Sentry appliance. If not, I wouldn’t reboot Server B
So, they failed to ensure that Server A was functioning correctly prior to the reboot of server B. I still say it’s not your problem
2017-09-24 05:00:27,281 WARN [AppServer.recordFailureEvent:362] (Thread-HC-fch1095.cmcinet.org) (,,,,,,,,,,,) Ignoring failure event for server fch1095.cmcinet.org:443 already in dead state.
Right. So Sentry never perceived Server A to be back online
So before rebooting Server B they should have checked connections, noticed it was receiving none and reached out to you
its odd thought I can’t catch the 2 marked down together
Anyone using S/MIME with iOS and per message S/MIME configs via Mobile Iron?
Sorry, @thebjohn. Not an area I’ve dealt with lately. @here - Anyone able to chime-in on S/MIME?
It would seem that files sent via encrypted email will not decrypt it iOS 11 in native mail, can’t open on other apps either, like Pages or Docs@Work. I downloaded public Microsoft Word, will load there after confirming recover contents of document as Word found unreadable content
so any new ideas on how to make a label based on installed app
need users to get a new wifi policy when they install vocera
Is it published via your company AppStore?
So @macbentosh you want them to get the WiFi -only- if they’ve installed the app? Not just generally available if they’re someone who’s eligible for the app?
I have an ent. wifi label. If someone installs an app that requires the ent. prod network i want them added to that label.
If app “insert bundle ID here” is installed, assign Corporate WiFi Label
Here’s the beginning of the rule you’d be looking to craft, sans assign of label:
[RuleNum] numberofrules=1 sleeptime=20 delimeter=, appnames=anyconnect
[Rule1] NumberofElements=1 Action=report ActionReason=installed appname anyconnect
reportsend=yes reportname=MobileIronanyconnectreport reportlocation=C:\MobileIron\Reports\ reportmessage=appname anyconnect reportvar=uuid,principal,emailAddress,manufacturer,ModelName,modeluniversal,appsmanagedstatus,apps_version
Element1trigger=app:installed Element1description=installed appname anyconnect Element1operator=equals Element1source=local Element1_value=anyconnect
Instead of report, you’d assign label for that particular WiFi config
How does one go about restricting registration to devices with 9.3.5+
I don't see an option in core to disable based on version. You could disable iOS all together? ;)
You’d need something like BYODPortal, @macbentosh
The M@W Agent/iOS MDM don’t drill for a version of iOS at that point in the registration, so the only means you have to prevent a device from enrolling is to detect the browser agent details and stop it there
@Woody uploaded a file: Pasted image at 2017-10-04, 11:50 AM
I'm seeing the appid issue with another customer, but they had multiple vpp trying to push the same apps to the same people.
Have you done anything externally with vpp? Configurator or anything?
Fine, I'll assume you've not just recently added your dep/vpp account to configurator
Hm. I've had this in AirWatch and reuploading the stoken sorted it, but doesn't give you any RCA.
it we try and try it goes…hit or miss..right now three devices 2 got M@W and not rover 1 got Rover but not M@W
Can you telnet out to Apple servers without any problems? See if it's not network related.. otherwise I can't think of much else off the top of my head.
MICs logs giving you anything more interesting to go off?
@macbentosh uploaded a file: Screen Shot 2017-10-05 at 12.59.26 PM.png
If VPP is down it wouldn't make any difference anyway.. was just a thought 🙂
Has anyone seen the m@w agent resetting after enrolment in iOS 11 on core 9.5?
Like, finish enrolment, quit out of the agent, go back in and it's acting like it's never been enrolled.
I have not @Jason Bayton, but can test/check around.
well looks like vpp is having issues again.
In case you’re using Azure AD and looking to integrate with MobileIron Cloud - https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-mobileiron-tutorial
Guys, there will be an Update soon. With the integration of the Zimperium SDK we will be able to detect a rooted/jailbroken device even before enrolling to EMM. The Mobile@Work client will alarm the user and admin immediately. Hope you like it!
@Martin Cygan Go or M@W first? Which respective version?
Also, any date commitment for targeting API26 for Android? Work-managed work profile support hinges on it!
Μ@W first, then GO. Expect this year ;-) Sorry, can not make commitments on dates in a public channel, hope you understand this.
@Martin Cygan pretty excited about the Zimerpium integration into the M@W client
Me too. This is something new to the Mobile Space.
I set up a PoC with Tunnel as an always-on VPN in an Android enterprise work profile this afternoon. About 25 mins from creating a Sentry VM and it was up and running. Working really nicely too!
Thx for sharing. Expect same experience for macOS later this year ;-)
What a coincidence, there's a shiny, new, yet to be unboxed MBP in my case here I'm looking forward to cracking open when I land back in Wales later tonight :)
Hopefully Core 9.6 adds some more macOS mgmt features 🙂
@Kiran Patel Oh yes it will. Is there anything special you need?
Kiran, if you are a customer, I hope you have access to the Beta-Portal?
wish i should patch update my lab env and not have to blow it away with every day
I gave that feedback to Lucky and the eng team there the last time I was at HQ. Hopefully they support that soon
Yes this is something we can improve, let me reach out to Lucky too to follow up.
@Ole Schulenburg has joined the channel
@here Of those using #mobileiron, who’s using On-Premise Core, Dedicated Core, Connected Cloud (Legagy) or MobileIron Cloud?
*Thread Reply:* Let’s try using a thread for the responses 🙂
*Thread Reply:* Single Core, HA, Multiple Cores for different purposes @macbentosh?
*Thread Reply:* On-prem & Cloud, single cores though have done a few HA + cold DR too
*Thread Reply:* @macbentosh are you running Email/Tunnel on all 5 Sentrys?
*Thread Reply:* Curious how many folks combine services these days
*Thread Reply:* 1 non kerb sentry 2 kerb email and 2 app sentry
*Thread Reply:* 2 Cores, 10 Sentry appliances globally
*Thread Reply:* @macbentosh why the need for the non-KCD Sentry? Folks that haven’t yet migrated, accessing EAS manually, etc?
*Thread Reply:* we had an issue with shared devices and the kerb serts
*Thread Reply:* we also use it for additional accounts. assistants who want their email and their boss
*Thread Reply:* Kerb doesnt work for additional accounts
*Thread Reply:* OnPrem, CLOUD (we are a MI partner so we have both)
*Thread Reply:* Same as Ole, both Cloud, CORE + Connected Cloud, Hosted CORE for our customers
On Prem
We have > 200 Hosted Cores + > 300 Hosted Sentries, 2 own MobileIron Cloud Clusters and many more stuff on premise 🙂
In total somewhere above 200k, not counting the AirWatch customers
Not that different to a single environment. It's just mainly much more automation 🙂
or are you in house at a firm - if so that is a massive deployment!
The first one - we are a company shaped around mobile enterprise use cases, trying to fulfill all the upcoming needs and therefore provide a wide range of stuff around mobile
If this all would be just one customer, this would be huge :-)
@Florian Moennig has joined the channel
thats quite impressive @Fabian. probably one of the biggest MI Partners 🙂
@Simon Hardy-Bistagne how does VF compare at the moment?
*Thread Reply:* Dependa what section/area you're looking at and from what angle... to work for, or as a customer?
*Thread Reply:* MobileIron hosted server count in the German DC I mean.. :)
*Thread Reply:* From a platform technology perspective it's a stable and up to date offering at the core. Biggest issues through are around deployments of the UEM componants and managing non ios or Android devices. The "offering" as a product just hasn't been looked after properly.
New Posting in #jobhunters btw. Feel free to join the Channel.
WARNING:: MobileIron gateway is unreachable.
@macbentosh normally it means appgw.mobileiron.com via port 443 you can check the status of the mobileiron services under https://trust.mobileiron.com/ if there isn't any degradation, probably some connection issue within the network between the core and the appgw
*Thread Reply:* It would be great if the activation service for Email+ would also be shown on that site - it was down a couple if weeks ago and this would help!
you can find more information regarding to the App GW under https://community.mobileiron.com/docs/DOC-4935 🙂
Anyone on-prem MI Core? And if so, running HA? Have a question if so
*Thread Reply:* Fair point. Threading it.
*Thread Reply:* We are troubleshooting an issue with random long HA sync times, like 14-24 hours for Cores with at most 30k devices. We switched NIC on VMs recently as a recommendation by MI, no luck. We are going to test flipping primary to other data enter now in QA to see if that makes a difference. There are a lot of factors here and we are trying to rule out 1 by 1
*Thread Reply:* For more background. (2) environments, both with (2) Cores, (1) in seawater data centers with HA sync set to every 2 hours between the Primary/Secondary. Nightly auto backup runs once every 24 hours as our fallback. Compliance check interval set to run every 12 hours for reference. We also have (3) Assemble jobs that run daily.
*Thread Reply:* Long sync intervals are very sporadic, happening a few times within a week span with no specific times
*Thread Reply:* How annoying. Intermittent issues are always the hardest to track down.
*Thread Reply:* Which version(s) of Core servers?
*Thread Reply:* (And has this been an ongoing problem, or a recent one?)
*Thread Reply:* Currently at 9.4 in Prod and testing 9.5 in QA. Still seeing the issue in QA relative to device count obviously. Normal sync times in QA are about 2 minutes, long ones shoot up to 20, for like 10 devices
*Thread Reply:* We aren’t sure how long honestly. We noticed recently after reviewing logs and sync times just because we wanted an idea
*Thread Reply:* The QA servers in the same DC locations, presumably?
*Thread Reply:* @thebjohn that is odd. We had 2 Cores with nearly 60k devices syncing in ~1 hour and 45 mins.
*Thread Reply:* That is our average time, then have the long ones popping in at random
*Thread Reply:* And the QA servers running on different VM servers, presumably?
*Thread Reply:* I think that your approach is the intelligent one, reducing the factors that could be causing the issue in order to identify the real culprit.
*Thread Reply:* I would be tempted to run the two QA Cores in the same DC, to rule out the wet-string and as many intermediary switches/routers from the equation as possible.
*Thread Reply:* Are you seeing occasional timeouts with your API calls too?
*Thread Reply:* Yes, different VMs but essentially mimic prod so that we can test configurations, upgrades, etc prior to rollout in Prod
*Thread Reply:* With APIs not that I know of
*Thread Reply:* I don’t think we could get ESX hosting to switch the VM to a data center easily as that would require re IPing and all that fun stuff
*Thread Reply:* Specifically different VM physical host servers?
*Thread Reply:* Oh, we have some using vMotion for that, but that’s another story.
*Thread Reply:* The challenge is going to be to consistently replicate the failures in the QA servers - absence of a failure won’t prove absence of a potential issue.
*Thread Reply:* I guess the answer to your question is: no, that shouldn’t happen. Unfortunately, I guess what you really want is the answer to “why does this happen?” and even more so “how do I stop it from happening?” 🙂
*Thread Reply:* Haha, well, that is ideal, but I know this one is going to be tough to crack. We are trying to review network issues, VM hosting and Mobile Iron simultaneously. As you know with any IT organization, they don’t like to be called out for issues, so finger pointing starts
*Thread Reply:* Understood. May I ask that you leave this with me - you’ve piqued my interest on this and I’d like to discuss it with our technical team just to make sure none of us have seen this before and I’m missing something obvious.
*Thread Reply:* We have a case open with MI, and have for a few weeks but seems to be no end in sight, which is why we are starting to try a few things to see what happens. Any suggestions you may have are greatly appreciated! @Jason
*Thread Reply:* @thebjohn has MobileIron identified any areas they perceive to be a pain Point?
*Thread Reply:* I’m curious if it’s taking more time to perform the DB export/zip or if it’s during the transfer process to the secondary, etc.
*Thread Reply:* Not yet. The NIC change on the ESX host was their only recommendation thus far
*Thread Reply:* I'd check what Jobs are running during synch to see if they can be interfering possibly
*Thread Reply:* We run the standard cleanups for housekeeping quarterly as well as prior to every Core upgrade.
*Thread Reply:* It’s hard to catch since we haven’t seen consistent times, to determine what other processes are running.
*Thread Reply:* Perhaps there is some existant debug logging functionality in the appsync script of secondary Core, which could be enabled. If not, I'ld suggest to integrate such logging manually. It is important to understand what takes long, to identify why it takes long.
*Thread Reply:* @thebjohn Quite a while back I have seen a similar issue and spent days searching round. The initial tests I would suggest on your dev environment if that has the issue, capture the port diagnostics and search the PCAP. Wireshark is what my guys used and came up with lots of DB error returns. We ended up as a test backing up the DB and restoring to fresh build of Core. This seemed to resolve in our case.
*Thread Reply:* Apologies if you have already done this.
*Thread Reply:* Infrastructure issues are always the most complex and each department always looks at the others.
*Thread Reply:* Like in ms teams, threading is not a default knee-jerk thing to do here. Could be better
*Thread Reply:* Agreed, but as this grows, so will the difficulty in finding questions/answers, so this makes sense.
*Thread Reply:* Yeah - Easier to search for a thread and find all associated comments/etc
*Thread Reply:* Only downside is you can’t drop attachments into threads
*Thread Reply:* Agree. I think we’ll see more revisions to it. We’re technically in 1st Gen threading, haha
*Thread Reply:* Where’s Usenet when you need it, eh?
@Gabor Heinemann has joined the channel
/poll “Do you use MobileIron Access?” “Yes” “No” “Evaluating It” “Considering It”
I’ve posted that we are evaluating it: we work on Evals with customers currently
@here Anyone here hosting Sentrys in AWS or Azure, by chance?
*Thread Reply:* I don't know if current, but we've had Sentry in AWS.
*Thread Reply:* Standalone Sentry works, but currently only supported for MI Cloud afaik
*Thread Reply:* That’s accurate, @Fabian. Just completing my first in Azure. Fairly straightforward, though I believe AWS is even easier.
*Thread Reply:* i am still trying to install a cloud sentry in Azure with arm mode
*Thread Reply:* if anyone has reliable cli commands in arm mode, let me know 🙂
*Thread Reply:* No, I think it is also supported with Core
*Thread Reply:* @Ole Schulenburg AFAIK all it supports ATM is Classic. Haven’t seen much success on the latter
*Thread Reply:* well i know. i tried in our environment in asm mode and it worked. but this customer doesn't want to (or cant?) use asm and want to use arm
*Thread Reply:* anyway i have a set of commands, i will try them and elt you know
*Thread Reply:* @Ole Schulenburg a set of commands you say? Care to share? 🙂
*Thread Reply:* yes. if they work i will share them. i am getting around to test them this week. hopefully next tuesday
@Steffen Schlueter has joined the channel
@Woody sitting down with Kevin and Mike talking about it now!
Everyone’s thoughts on the change in leadership at Mobile Iron? Moving their CFO to a CEO role means one thing to me
*Thread Reply:* Looks like they aren't growing fast enough for investers. Makes sense to put a money man at the top.
*Thread Reply:* Having met them both, I understand. Barry was friendly enough, but not the dynamic leader that MobileIron deserves. I think that Simon is the right person for the job - he will do a great job leading them in their next phase of growth, IMHO.
*Thread Reply:* @macbentosh Barry has left the business. Simon (previously CFO) has taken over.
*Thread Reply:* I believe the correct phrase is that “he was resigned”…
*Thread Reply:* Replaced a people person with a finance guy, my perspective is more focus on bottom line and shareholders vs customers. May be a stretch, but just a perspective
*Thread Reply:* Bottom line hasn’t been unhealthy, though you could argue that top line hasn’t grown quickly enough. Having met both, in this case I would say that Simon inherited the extrovert genes.
*Thread Reply:* @thebjohn MobileIron will never loose foucs on customers. The product and the company are build up on customers needs!
/poll „Are you coming to MobileIron Live 2018 in Berlin?“ „Yes“ „No“ „Need to think about“
15.05. Partner Summit, 16./17.05 MobileIron Live
*Thread Reply:* I'd certainly like to come to the next one!
*Thread Reply:* So you have not be on the last one?
*Thread Reply:* None so far, I was at the TPS but haven't ventured over to Berlin as yet.
*Thread Reply:* You should. This is an experience you will never have somewhere else!
*Thread Reply:* I don't see why I couldn't having the dates this far ahead 😎
Thanks for the release folks, I've been waiting on this for ages 🙂 https://bayton.org/2017/10/mobileiron-officially-supports-android-enterprise-qr-code-provisioning/
Quick announcement, the “Bridge Corner” will go live soon.
@Christian Jucker has joined the channel
Great job and thanks for all your efforrts @Jason Bayton and #mobileiron in getting Android QR provisioning. Soon hopefully we can get the same for iOS with the stock camera app now supporting QR codes.
*Thread Reply:* Why? Isn’t DEP enough for you or do you have another requirement in mind?
*Thread Reply:* Can't do DEP on BYOD
*Thread Reply:* Have you tried a QR code for the iReg process? You can generate one with the code and email it to the team, print it out, etc.
*Thread Reply:* https://<core_fqdn>/mifs/c/i/reg/reg.html
*Thread Reply:* What would be dope is for the QR to include WiFi creds for a provisioning SSID. Curious what the likelihood of that happening is
*Thread Reply:* @Jason I believe you can send that QR code in your provisioning email too unless I'm mixing my UEM and MI knowledge.
*Thread Reply:* Though, that said, I haven’t tried it myself in a while. (Just a tick)
*Thread Reply:* Yup, as I thought, it’s HMTL, so as long as you can host the image somewhere, you’re good to go.
*Thread Reply:* @Woody Not sure how you’d include the WiFi creds in a URL exactly, but open to being taught!
*Thread Reply:* @Jason IDK if it’s possible either, but that would be epic. QR, join the network, install the client, become managed and you’re on your way. Same would be great at the beginning of the DEP wizard
*Thread Reply:* You can share WIFI over QR, but it's inherently unsecure.
No worries @Kiran Patel, was a lot of fun to work on it 🙂
*Thread Reply:* @Jason Bayton How would you do that for iOS, please?
*Thread Reply:* Android/iOS can both read a QR containing WiFi info, but I think a hosted configuration file with a link in the QR is likely the easiest and most secure. I'll see if I can figure something out
*Thread Reply:* The thought would be to hop them on an isolated ‘Provisioning ’ WiFi segment just for enrolling to MDM, so even if someone deciphered the creds they would have minimal access
*Thread Reply:* Exactly. Onto a guest wifi, enrol through ireg, job done!
*Thread Reply:* guest wifi + ireg + ideally one time unique for users username and pin in the reg email would be great.
*Thread Reply:* Not sure if all of that is technically possible but that's the visition
New in MI Go and AtWork, big Android focus:
• Admin’s can disable Unknown Sources device-wide (requires Google Play update)
• Support for Firebase Cloud Messaging
• TeamViewer for Android enterprise (device owner, work profile)
• Work managed device Kiosk mode - added user options for Date/Time and Mobile settings
• Unlock devices now resets password to “0000”
Coming #soon
Anyone using Core to administer iOS MAM? One question: When a device is “retired”, how long does it take to acknowledge the retire and remove the configuration profiles (if at all)?
if using AppConnect, as everytime you open an AppConnect app you check the status in the MI Client, then it retires the device
Right, b/c Core owns/controls the container and if the relationship is severed it will remove, apps as well
So what I’m seeing lines-up. No native ability to forcibly remove anything w.o a formal MDM profile
As you don’t manage the device, yes, you only work on the AppConnect container
you can remove the certificates only if they are in the AppC container
I’ll check and see if AppConnect is an option for this scenario. The only components will be Core/M@W/App (Wrapped for AppConnect). Correct?
Basically yes, but there is one more important aspect: How do you ship the InHouse App to the device? This would at least require the Apps@Work Webclip or Apps@Work container App
MobileIron is fine for MAM, when using an MDM profile. I think it's no good MAM without, at least not on iOS.
You can restrict an MDM profile's permissions accordingly, if user concerns have to be mitigated
In testing, I pushed the Apps@Work WebClip/Cert and it arrived. That was fairly smooth. App request was fine, but the user Trusting would be perceived as weird.
That makes sense about using a subset of MDM for “MAM” @Fabian. Issue with what I’m discussing is the devices in question are subcontractors and may already be in a relationship with another MDM
My writing was interrupted by an incoming call... that was what I was writing 😉 - Using MAM without MDM is interesting when you assume there might be another MDM. The other MDM will likely try to prohibit the usage of any 3rd party app authors, unknown profiles, etc. This could in general be a problematic approach.
E.g. if you have a manufacturer of furnuture, which provides some nice Apps for how to arrange these, the furniture shops selling this furtnure would have an intrinsic motivation to distribute such Apps to their employees via their own MDM. The goal of the manufacturer would be achieved, providing the Apps to the customers 🙂
In the use case of AppConnect, would the abilities of the existing MDM profile be limited? Since the entire thing is housed inside Mobile@Work, with the exception of the AppConnect App’s Distibution Profile.
You'ld have Mobile@Work, Apps@Work Webclip, Apps@Work Client Certificate - But what happens when starting the installation of an InHouse App from within Apps@Work? The user would be prompted to trust that developer and install the provisioning profile of the .ipa file. If the existing MDM denies that trust (not sure whether this might be limited to supervised devices only), you cannot install any InHouse App past that MDM.
However, if you already got Apps@Work Webclip and Client Cert installed on the device, it is very likely that installing the InHouse App will also work 😉
So, regardless if you’re using native iOS or AppConnect-wrapped app, you’d still be subject to the same possible scrutiny from a pre-existing MDM’s perspective
side question to the topics above... with the ability to specify a cert in the SSO config is there a way around the pesky cert prompt for the Apps@Work WebClip?
That’s an iOS thing @Kiran Patel. It was gone for awhile and now it’s returned as of iOS 9 or 10.
It only prompts once to accept though, unless you clear Safari cache that is, then I believe t will prompt at next launch only once though after accepting, correct?
correct and every new device enrollment
I do wonder if you installed the CA identity for A@W to the device, if it would prompt. They used to automatically look at what cert the site was calling for and provide it. For whatever reason that was deemed inappropriate or insecure.
It would allow an unknown internet website to query you during the TLS handshake whether you have a client cert of one of the following 50 CAs, for discovering to which enterprise you might belong and deliver malware accordingly. It's kind of DLP, that's ok. But Apple missed to provide a solution for enterprises with EMM...
Shouldn't we invite someone from Apple in here? 😄
We’ve got one - @thomrburg. I’ve got another in mind
Hi guys sorry I didn’t took the time to answer about MAM only. Few things:
Cautions:
Core 9.5 testing, on-prem, iOS 11 devices. Testing passcode requirement changes, in particular, changing from 4 to 6 for a particular program. After change, device continuously prompts for new PIN, but can be ignored constantly. Mobile Iron recognizes Passcode Compliant in device details as False, yet after 2 days of check in and Compliance checks, doesn’t flag non Compliant, thoughts?
*Thread Reply:* Interesting. I honestly don’t know that any of the protocols/values for this age-old setting would/should have changed with iOS 11.
*Thread Reply:* That was my thought too, maybe a Core bug?
*Thread Reply:* Any chance you’re part of the Preview Program? 9.6 (Atlanta) has a lot of iOS 11 improvements
*Thread Reply:* ETA still end of November release?
*Thread Reply:* I was also checking the general iOS 11 Compatibility page and saw no mention of something like this: https://community.mobileiron.com/docs/DOC-6671
*Thread Reply:* Ya, we are a little baffled on this. Reason I ask is we plan to align all of our programs to a 6-digit minimum, which is lowering Corp stuff from 8 to 6, but upping BYOD from 4 to 6. Need to confirm Core marks as non-Compliant if at 4, but doesn’t seem to be the case in testing in 9.5
*Thread Reply:* Do you have “policy out of date” compliance actions in place?
*Thread Reply:* This may be iOS 11 specific
*Thread Reply:* I tested on a 10.3.3 device with only a 4-digit PIN prior to registering. It then gave me continues prompts every 15 minutes when I selected later, but after 1 hour, forced me to change it, expected behavior. iOS 11 device just seems to allow just pressing later
*Thread Reply:* Confirming one more time on an 11.0.3 device that this is he case
*Thread Reply:* Do you have iOS 11.1 Beta 5-ish to try as well?
*Thread Reply:* Not yet. That’s another thing to try
*Thread Reply:* I have to test as is first with official releases since we block Betas for Corp and BYOD devices. By block, we have compliance actions, but I’m special and am excluded. Once the hour wait period is up on my 11 device I just re-enrolled, I’ll try a beta release and see
*Thread Reply:* I’ll report back on findings
*Thread Reply:* If an iOS 11-11.0.3 bug only, then hooray
MobileIron will officially support MAM only scenarios! From what I was saying last time we discussed, the prompt for every policy change will disappear !! Great news!!
@NicolasR when will it be officially supported?
Looking forward to the drop @Russell Mohr! Why the separate Core instance?
Basically I think its a limitation around how the MDM cert is distributed on Core.
Interesting. The beta definitely has our attention. We are still on 9.4 and decided to hold off on 9.5. 9.6 gives several items we have been anxiously waiting for.
Ya 9.5 broke some stuff for us, so we are holding off until 9.6
The MAM only solution still requires a client (Mobile@Work) on the device though correct?
Yeah. Alot of issues with 9.5 so we held off. Only issue for us is that our Andoid O clients cannot get to the Apps@Work store. But we are willing to hold off until 9.6.
The test I have done that fixes the issue was done against CORE 9.4 with M@W 9.7 😉
MobileIron Cloud - I've set up a policy for whitelisted applications and want to email administrators when the device(s) fall out of compliance. The policy setup only allows user notification from what I can see. Any hidden options by chance? cc @Woody @Russell Mohr
(I've created a report outputting users in CSV, but this isn't what the customer wants.. )
and generate a policy violation report every 4 hours
*Thread Reply:* :( ok. The report doesn't go into enough detail for the customer.
*Thread Reply:* gotcha. I’d like to see this improved too
Has anyone configured Tunnel with Split Tunneling and using wildcards? We are seeing an issue with users who have a VPN config pushed from MobileIron on the device but have not yet installed Tunnel. Since our root domain is in the VPN config to support split tunneling, they aren't able to get to our public website (which is the same domain name as our internal)
@Jason Bayton - MI Cloud doesn't have the "CC to Admins" option that MI Core (On Prem) has?
*Thread Reply:* Seemingly not, see Russ' reply above.
*Thread Reply:* Unfortunate - will be nice once they finally merge the code for the 2 products
I think we are seeing the same issue, where we have sites hosted internal and external, but with the same domain identified. We have to start adding individual URLs in each Tunnel sentry for Advance Traffic Control so that it proxy’s that traffic back out.
just dep’d through an iphone x…will not connect to mail server…
Thanks! But what is correlation between DEP and mail server? :-(
Probably a different EAS device type identifier within the initial Options/Foldersync?
@Russell Mohr Will the MAM only be part of Silver, or will it be a dedicated license? I‘ld love seeing it in Silver, not creating any financial barrier towards more sophisticated MDM with current Silver
on Cloud, its iOS only for the moment, no MobileIron Go app required
AppConnect won’t work without the MobileIron agent
BTW, how you doing @Fabian? Long time no see! I need to come visit you guys in Koln!
Doing a good job, flooded with orders... By all means sufficient work 👷 You're always welcome 🙂
I haven’t tried it lately @macbentosh. I know it’s a big feature touted in Core 9.6.
really? We are being pushed towards cloud for it
Likely because no one is talking about 9.6 officially yet perhaps?
MobileIron is in general pushing towards Cloud ;-)
Really? I haven't had an alert since the first beta dropped :p
gettting connection to server failed until we reboot.
Not yet - That‘s not related to the initial reports about EAS throttling when iPhone X was released? What does Sentry say?
I think there is a global issue with iPhone X...
Interesting @macbentosh. Curious to hear what the Sentry logs say as well
API to force iOS update on supervised devices?
On Core? I don’t think that is a supported action in the api.
Yeah, I’d side with @Jason Bayton and say if anything, Assemble would be the go-to for this request.
It’s items like this that really warrant some sort of easy front-end for the API in Cloud as well (cough Assemble cough)
In regards to “Web Application” deployment via Core. Is there a way to…
Whelp! Found in the forums that it’s been requested to grant the user the ability to uninstall/remove a web application. Still didn’t find if there was a way to push a web application. Unless there is a way that I can’t find.
You mean a WebClip? You can publish WebClipa today
They can also be configured table launch in Web@Work if that is your preference
No way to publish web clips on Android... so hard to understand why MI didn’t implemented this...
Is it a limitation of Android or Mobile Iron?
Is there any information from MobileIron regarding iPhone X app (design) updates for Mobile@Work, Docs@Work, Web@Work and especially Email+? There‘s an email+ 2.9 beta but without UI adjustments
*Thread Reply:* I haven't seen anything as yet? Does it look horrendous? 😄
*Thread Reply:* There‘s just a lot of black space, not nice if email+ is your daily mail client 😀
*Thread Reply:* http://d.pr/i/XVSQ3b/CJE078kk
*Thread Reply:* http://d.pr/i/87eArG/4XtpdA2i
*Thread Reply:* 😆 I guess it makes sense they hard-code the height? I mean it looks like they have done that at least.
*Thread Reply:* Last feedback from support: „There will only be a limited difference between iPhone 8 and iPhone X from the apps perspective“
*Thread Reply:* Well that's fine if the "limited difference" is filling the black bars..
MobileIron CORE. CLOUD supports it.
Nah, I was referring to a Web Application as opposed to a WebClip.
So @japple you’re looking for a way that a user could request a Web App from Apps@Work, then uninstall/remove it in a similar way. Yes?
I see that a user can tap to “install” the Web App from Apps@Work, but I was wondering if there was a way to “push” it automatically for them. And also the ability to uninstall/remove it.
Well, the equivalent of “Pushing” them a Web App is pushing them a WebClip. Deleting the WebClip (either requested as a Web App or pushed as a WebClip) is the only way to get rid of the “Web App”
got the email about sentry 9.2…when does that drop>
@macbentosh I believe Core 9.6 is scheduled to drop sometime around now and I would guess we’ll see Sentry 9.2 in a similar timeframe. Those two tend to pair-up nicely, so release dates are coordinated to be near one another.
Sentry 9.2 targeted for beginning of december.
Thanks, @Martin Cygan!
Is there a way to automatically remove an app if the user is no more connected to WiFi ? A specific in-house app that mustn’t be used outside office. Thx in advanced
*Thread Reply:* Thanks. With a script running every x minutes, and then install it when connected to WiFi. Go and see assemble trigger name. Thanks again
*Thread Reply:* Much better to control access to the destination than to remove the app
*Thread Reply:* Use tunnel to a sentry on the local network for example
*Thread Reply:* don’t expose sentry to outside world- only accessible from that WIFI network
*Thread Reply:* The app got cache on it. So user can access to data so even in plane mode they can access :(
*Thread Reply:* Other options: AirPatrol (geo fencing) or Cisco ISE (if in use) integration
*Thread Reply:* Assemble and geofencing was yesterday a solution but I have to inventory all gps sites so I will look for air patrol. We have Cisco ise but what was your thoughts ? Thanks
*Thread Reply:* Not sure about the ISE capabilities with the MI API, but I would envision that ISE can add/remove labels whenever the device joins/leaves an ISE managed WiFi.
*Thread Reply:* Ah yes, I used to work with mi api and trusted deviced enrolled onto MI with a trigger that was MAC address. But it could be very difficult due to energy saving. I will force app dev to shutdown app if no ssid connected and a specific url with ok 200. to complicated and painful for end user
*Thread Reply:* probably the easiest solution if you have control over the app development 🙂
*Thread Reply:* @Tobias I will force to do that. Thanks again
> MobileIron’s beta version of Monitor 1.2.0.0 is now available for testing.
The upgrade to 9.6 this AM was an absolute doddle. Nice one @Martin Cygan & co 🙂
Full disclosure: It was in my lab, but the experience was smooth. Ah, I remember back in the 7.x days when that was not so much the case 🙃
I’m sure if they’re real Gangstas, they’ll find a way
*Thread Reply:* Mac controls, AE improvements, windows improvements, few other bits and pieces. Looks like a major Mac release actually.
*Thread Reply:* My favorite is the Work Schedule policy
*Thread Reply:* Oh yes, I forgot about that @Russell Mohr
@Woody uploaded a file: Pasted image at 2017-11-16, 11:49 AM
Man, that is some serious lockdown capabilities on a device. I’m curious what type of Enterprise/government agency would leverage this feature
France are big on this due to local laws I think. Possibly Germany too.
I know the German Workers Council is a crazy deal, but didn’t realize it was to this extent
DAIMLER + VW introduced this already 2010 with BB
I welcome it for the US. I can’t count the amount of times I’ve “turned off work” on my devices during the nights/weekends. Although, I do commend Android for being able to “turn off” the work profile. It just needs to be more easily accessible.
@Jason Bayton uploaded a file: 201711161806_00.gif
Ah, nice @Jason Bayton - IdK how I overlooked that
Perhaps it was back in 6.x when I discovered and hadn’t looked around in awhile
@Jason Bayton What tool are you using to create these animated screen GIFs on the fly?
@Tobias I switch between Mirror and AZ screen recorder
@Jason Bayton it looks like the putting Work to Sleep feature arrived in Oreo? Just checked on 6/7 and didn’t see it.
6 I think. Some OEMs didn't implement it for some bizarre reason (I've written about that previously).
Gotcha. Come on Samsung, you’re better than that!
still no ability to add a wallpaper in an automated fashion to ios with MI Core?
In an automated fashion @macbentosh - Like, outside the Add New -> Policy or in terms of automatically distributing it?
Although now that I said that I’m having trouble finding it….
*Thread Reply:* Still wandering why some configurations are not policies and vice versa... iOS restrictions should be lockdown policies!!
which is also what @Woody said. Need glasses here. But it is new in 9.6 as a policy.
“This policy applies to iOS 9.3+ supervised devices only.”
@thebjohn uploaded a file: Slack for iOS Upload
I blame it on the Fruit company.
Why the downvote, @thebjohn? You wouldn’t want your own BYOD having a corporate wallpaper set, would you?
Apple’s recent changes to limit which permissions/restrictions can be set on iOS devices seems to put the consumer - and their privacy - first. Without trying to sound like a fanboi, I wish more ISVs and manufacturers took this view (I’m looking at you LinkedIn/Microsoft, Facebook and Google…)
If you need these restrictions, add the device into DEP - which you can now do even when you don’t have a proof of custody supply chain (albeit by using Apple Configurator)
@Russell Mohr - That's awesome, I have been waiting for this quite a while. Now there's just the Device name left, and Apple TV management is fully available 😄
@Jason All Corporate devices aren’t necessarily supervised, so having the capability to do this on non-supervised iOS devices would also be ideal. But to your point, with iOS 11 allowing for manual addition to DEP, that is a route we can take for countries that do not offer that feature through suppliers.
Agreed, I’m not suggesting it’s ideal, but that’s the Apple ‘logic’ being applied here.
But if this is only done via Apple Configurator, then that is an obvious no go for us. We deploy thousands of devices worldwide, plugging each one into a Mac with Configurator is not a sustainable solution
Yup, that’s the only way to get them into DEP. It’s a single, one-off operation, so may yet have legs, especially in combination with a USB hub/cart configuration.
Cheaper than buying DEP devices in a supported country and sending them to another(!)
(I’m sure @aaron will also want to chip in at some point with his product offering here too… ;-)
@thebjohn There is a tool called Groundcontrol which emulates Apple Configurator on distributed Windows devices with a central management console. So you just need someone in ech of your worldwide locations who installs the tool on a PC and plugs in iDevices, everything else is centrally managed (https://www.groundctl.com/)
Whoa. Thanks @Tobias. Great description of our product. May I invite you all to continue discussing in the #v_groundcontrol channel?
was not even aware we have a Groundcontrol channel here 😁
@Tobias That is pretty sweet! I will definitely have to check that out, thank you!
*Thread Reply:* Define? I understand there's a fix in 9.6 for LDAP for the bug in 9.4-9.5
*Thread Reply:* not picking up all ad groups
*Thread Reply:* we do kerb email label with an ad security group
*Thread Reply:* What do the LDAP logs say in MICS @macbentosh?
*Thread Reply:* Any indication that it’s seeing the group, but with no changes? Or just not seeing the group at all?
*Thread Reply:* it’s in the group in ad but the label doesn’t apply
*Thread Reply:* and just to config the group is under the LDAP config in MI to sync right?
*Thread Reply:* So if you take the failing label syntax and plug it into a new label filter, does the device appear in the results?
*Thread Reply:* Is “Sync discard” option enabled?
*Thread Reply:* The suspense is killing us, @macbentosh LoL
*Thread Reply:* Odd @macbentosh. What do your LDAP Search Filters look like for Users? The default or something different?
*Thread Reply:* Default = (&(objectClass=user)(objectClass=person))
*Thread Reply:* When using LDAP (not LDAPS) make a trace and look at it in Wireshark. It gives you a clear view what Core is requesting and what the responses look like. That might give some insight what exactly is misbehaving
*Thread Reply:* and @macbentosh this was working in your former version of Core, yes? Any chance you ran 9.6 in a DEV/QA scenario before it went into PROD?
@macbentosh uploaded a file: Screen Shot 2017-11-21 at 2.14.35 PM.png
Our technical team didn’t mention this when they did their testing, so I’ll ask them to double-check and let you know if they do find anything.
Hi all, We have had 9.6 in testing for 2 days now with iOS, Android and Windows 10 phones. Sorry about the Windows phones we still have a couple of customers. LDAP looks fine and no issues we can see. Next round of testing and GPO etc is for tomorrow, so I will ask the techs to double check log files and verify back her.
Hi everyone it seams that a 9.6.0.1 is planned for the next few days. (Source: announcement mailing from MobileIron)
I think there is a major issue... 😄
Of course, due to Thanksgiving, I expect this will happen next week
*Thread Reply:* Only in JIRA, no public info right now. Will be mentioned in the Release-Notes. If you need more details, pls ping me.
*Thread Reply:* Is there an ETA for the fix? Hoping it's in 9.6.0.1
*Thread Reply:* JIRA internal to MI or Partners too? I had a very brief look between flights last week but didn't see anything jump out.
*Thread Reply:* Ours is names that it is not expecting within {}
*Thread Reply:* Batch processing has been causing problems from 9.4 already.. with the fix supposed to be in 9.6
Is anybody using S/MIME via Exchange config and UserSelfService Certs on iOS with Core 9.5 or Core 9.6?
We are on 9.4 in Prod, but testing on 9.5 in QA, going to update to 9.6 though, what’s up?
If i have a video or photo in my files on docs at work how do i save that to the camera roll?
@macbentosh You might be able to allow Open-In to the Apple Photos app. I’m not sure that you’d ever have direct access to save to the Camera Roll from AppConnect.
@Woody uploaded a file: Pasted image at 2017-11-27, 2:21 PM
seems like docs at work is just choking on videos
So, you’re able to save Photos out to the Camera Roll, just not Videos?
Or Docs@Work isn’t processing/displaying videos as it should?
just taking forever to load in a 100mb video then fails to play it
Does a 1MB test video have the same problem?
how would you guys load videos for a kiosk mode style setup?
Probably store them locally inside an app, restrict to only that app and play from there?
I suppose Single-App mode as well, once we hit iOS 11.2 and its new features
I’d drop a ticket with support to get the ball rolling. Perhaps there’s just an optimization that needs to be made for video sizes exceeding Xmb
here’s another question…What format (codec) does D@W support?
AFAIK it inherits the codecs supported by the iOS/Android platforms
What is the source of the video file, @macbentosh?
@Thomas H. Yes, cert type user provided, but uploaded via API
@Fabian Any problems with signing Emails and S/MIME since iOS 11?
No issues like that have been reported to us, so I assume it's working so far
some people mentionned this in the comments here: https://community.mobileiron.com/docs/DOC-6671
anyone know if there are keyvalue pairs for vlc
I’d check AppConfig.org or the MobileIron Marketplace. If not there, hit VLC up directly.
@Sascha Spangenberg has joined the channel
if i set a wallpaper for a device only it sets centered. If it is set by policy it is off center.. Same wallpaper.
So, the former is by hand or configurator and the latter is via MDM/MobileIron Policy?
what does it mean when a wifi policy is partially applied
In terms of the WiFi, I believe that means it’s delivered but the user hasn’t entered their password to “complete” the application
so I connected and the proxy is not applying
Looks like Core 9.6.0.1 is out
Yup, we’re putting it through its paces at the moment. Anyone else using (or having customers using) WinPho devices?
Excellent, going to get it in QA today or early next week.
We aren’t doing WinPhones
Still not possible to delegate apps import/edit or distribute to a specific user or an ad group ? Thanks
9.6.0.1 fixes the LDAP issue identified in 9.6?
@thebjohn didn't see it mentioned in the release notes
After scanning, neither did I. I assumed this was the fix in this release judging by the quicker turnaround and version number.
Kiran that still references 9.4-9.5 with a fix in 9.6... so perhaps that's something else? They're a bit all over the shop at the moment it seems.
@Jason Bayton I agree, I was a bit confused on that KB article as well
Has any of you experience with pulling reporting data from the Core using the MobileIron APIs and Microsoft PowerBI? For some reason certain API queries kill the Core, and I then need to request our MobileIron provider (Vodafone Global Enterprise) to reboot the VM. The environment is only 15K devices on Core 9.5, all queries run fine in the QA environment which has only a few dozen devices registered. Any tips? VGE doesn’t seem to be able getting this resolved 😕
*Thread Reply:* If Dirk is still around (I forget his surname but there's only one I'm aware of looking after hosted Cores) ask that he's involved with troubleshooting. VGE will have full access to the systems so should see something.
*Thread Reply:* Mueller? Nope, he’s not there anymore
Some APIs do use a lot of resources and it does not seem to be coded for efficiency. So try to be as lean as possible and apply as much filters and do not request unnecessary data. What API calls are causing issues? if VGE is using a virtual environment, they might not have set the reservations for the VM which could cause an issue escalating it to MI support
*Thread Reply:* It seems that many (all?) API queries are causing stress on the Core, but there is one that certainly kills the system instantly; https://corename.vodafone.com/api/v2/authorized/users?adminDeviceSpaceId=1
@Duncan Do you have a Reporting Database VM?
*Thread Reply:* We asked VGE (Vodafone Global Enterprise) for that some months ago but where I was under the impression that it was simply spinning up another VM with based on the MI ReportingDB install guide, VGE told me it would require a 3 month project as it wasn't part of their standard services...
*Thread Reply:* I might otherwise just spin that up on-premises and open up the required network ports to make it work?
@Duncan A fair bit, as we’re responsible for IronWorks (https://www.bridgeway.co.uk/ironworks) - which APIs are you using that are causing the issues? Also, are you requesting the data as CSV or JSON?
*Thread Reply:* One example is the API query https://corename.vodafone.com/api/v2/authorized/users?adminDeviceSpaceId=1 but we are basically trying to use all v2 APIs and also some v1 APIs. We are using a combination of JSON and CSV. I think most API queries are returning JSON. I am using Microsoft PowerBI as the tool, and so far I did not worry about offsets and limits as it seems that PowerBI manages to structure the data for me. But maybe that is part of the issue? But still, I can understand that the API queries cause a certain (high) load on the Core, and that it takes a certain time to process. But now it seems that processes on the Core just die (Tomcat?). Shouldn't that be protected from happening?
This is an example that VGE shared with me illustrating the API Core load
Core can handle many API requests, also in parallel. We have developed some tools which intensively leverage the API and keep a Core with 8 Cores at 70% CPU average. At that load, Core is still responsive and everything is working as expected, so it can deal with such load.
We have seen issues with large scale data extracts using JSON - believe it or not, some of these are better under CSV, but please try both and see how your own Core server behaves. I would suggest monitoring memory space carefully in your VM environment, as this may highlight capacity issues too.
We have only been using v2 APIs in IronWorks, so I can’t comment on v1 calls, but happy to take detailed questions via DM. Just please bear with me as I’m on annual leave at the moment and the timeliness of my responses will suffer as a result.
@Woody @Martin Cygan @Russell Mohr question about the phone number sync recently(ish) introduced.
Does it sync semi-regularly or is it taken only once on enrolment and never updated again?
Jason, my understanding is that this will update on a regular basis. As you can change the SIM in a registered device and it should update on the Core/Cloud server to reflect the 'Current Phone Number'. But I don't know how regularly this happens. I would suspect it is what's used for the 'SIM Changed Event' to be triggered.
Agreed, I ask because MI support earlier suggested it's only collected on enrolment with Cloud and I thought.. nah.
The new feature that was added recently isn’t about collecting SIM/Phone number information. I’m fairly sure we’ve collected that info from some time
Rather, on Core 9.6 at least, we can change the permissions Mobile@Work is asking for to exclude the Phone permissions
which some users, especially BYOD, find alarming. Phone permissions allows an app to make phone calls SMS etc
We can skip asking for that permission… but then we don’t get the phone number, IMEI etc
@Russell Mohr uploaded a file: Screen Shot 2017-12-06 at 3.28.39 PM.png
What I do know is either a core or agent update recently started showing phone numbers against my devices. Prior they had been "PDAx" for as long as I remember.
I do see phone numbers on MobileIron Cloud for devices that were retired over a year ago
@Russell Mohr uploaded a file: Screen Shot 2017-12-06 at 3.38.26 PM.png
I need to start reading through release notes.. but in any case I just need that confirmation if a number changes, Cloud/Core will update it.
although we don’t do a SIM change event on Cloud
hah- I don’t know for sure--- needs to be tested
I've got a dual SIM phone here registered on Core that lets me edit numbers actually (few androids do). I'll try it. Doesn't answer for cloud but ...
As far as I know, have checked it, etc. it always has updated. Only when you remove a SIM, for example an iPad, then you might see strange behaviour (all zero's, strange carrier, etc). But I think it updates every check-in with the Core/Cloud
Oh I would like a tenant actually.. which is far more than you just offered, sorry 😝
I can use the company cloud tenant for this..
@Mark Vonk I'll just try it now. I had zero doubt before Support told me otherwise.
I am not sure about dual-sim devices though. Never seen one registered on a Core (or at least knowingly). But a regular SIM change (and phone number change by that) has always worked for me.
Dual SIM isn't important for reasons other than it lets me edit the number rather than reading from the SIM (so easier to play with). SIM 1 is always primary so will take precedence in showing in EMMs
Which brings me to one of my biggest UI/UX bugbears with the admin console. We’re in the C21st and it’s still listing SIM-less mobile devices as “PDAs”. This seems anachronistic with the current tablets, slates, laptops - even desktops with Bridge -, Apple TVs, and other modern devices that can be managed with MobileIron.
Anyone here tested the latest iOS Mobile@Work client v9.7? Seeing an issue here for DEP devices
Once installed from Apps@Work post registration, or reinstall of app from Apps@Work, does not recognize has DEP Supervised, and asks for a device PIN for Enrollment, doesn’t pick up the registration.
The managed App pre-authentication token for Mobile@Work is not DEP related, but nevertheless a crucial feature 😄 Haven't tested that yet
We just tested a Non-DEP device too and it also happened, seems to be a bug with 9.7 we are seeing
How much time passed after installing the app and launching it for the first time?
The token has a time limit. Probably the device's system date/time has too much offset
We have tried on about 6 different users and devices, waited 10+ minutes
Interesting @thebjohn that’s not something I can see that would have really called attention to itself (to warrant any sort of change).
Oh they identified a bug already, on a call with our Premier Support guy now
Issue still under investigation with MI Engineering, but they know the issue
Caching allocation for memory issue, Engineering still reviewing to determine root cause
I've just tested the ireg registration process + install M@W via CORE to get the managed app token for me it works with 9.7
It’s intermittent. They confirmed a caching issue with Core.
So if it's a Core issue is it independent of Mobile@Work version?
According to MI Engineering, it is not, which we found strange based on our findings of it happening with the latest client. Coincidental according to Engineering
@thebjohn uploaded a file: Image uploaded from iOS
I’ll provide more info as we move forward with the case
@Woody uploaded a file: CoreConnectorReleaseNotes9600_Rev30Nov2017.pdf
I’m on 9.6 and don’t see it. Do I need something in addition to core.
Looks like I need to look at the core apps at work guide.
the only difference between before and now is that it is officially supported and also they fixed some of the issues we had
It's a basic Core server, but you configure it without a MDM (APNs) certificate for Apple devices.
But lot of restrictions on running MAM-only for iOS. Read the Apps@work guide for Core; there is actually (for MobileIron with new features) a lot info in there about it.
MobileIron Tunnel released as MobileIron Centaur in China App Store: https://community.mobileiron.com/docs/DOC-7346
*Thread Reply:* Well, boo! Anywho, it’s being re-released in the China app store. For Core, ATM.
*Thread Reply:* https://itunes.apple.com/us/app/mobileiron-centaur/id1315143363?mt=8
*Thread Reply:* Was it pulled because it's a VPN client? What's the workaround that got it back on?
*Thread Reply:* Well, AFAIK it’s a front-end activator for the VPN configuration profile that MI delivers. It may house the config, but in all reality it’s the Apple built-in VPN framework doing the heavy lifting.
*Thread Reply:* “MobileIron Centaur supports the same list of features as MobileIron Tunnel.”
*Thread Reply:* The next one will be MobileIron Unicorn[TM], you’ll see… 😉
*Thread Reply:* And who doesn’t want a VPN secretly disguised as a Unicorn on their device? #Clever
*Thread Reply:* Centaur works the same as Tunnel but also pipes a copy of the unencrypted traffic to a Chinese gov server farm, which makes it compliant to the Chinese regulations.
But it's also possible that the app name just is not allowed to contain any references to Tunneling techniques.
*Thread Reply:* That's pretty horrendous (the regulations)
*Thread Reply:* Was just kidding (hopefully) 🙂
But more important to me is the question if this change will have an impact on device-based VPP distributed MI Tunnel when the VPP licenses were purchased in another Country. Would devices in China still be able to install MI Tunnel when they receive it as device-based VPP installation request?
*Thread Reply:* https://goo.gl/xOWk1m
*Thread Reply:* We JUST rolled out Tunnel for Safari and Remote Desktop client globally this past Thursday, this is a real kick to the dick considering we just rolled this out
*Thread Reply:* We have about 350 Corp devices in China we have to look into re-Engineering our solution for. I had 0 idea this wasn’t available as of July
*Thread Reply:* And strangely, we rolled out a Field Test for some BYOD changes for iOS. We have a user in China as part of this Field Test, and I see he has Tunnel installed. This Field Test was just rolled out last week...
*Thread Reply:* Well now you've lost plausible deniability when they come for you @thebjohn
*Thread Reply:* @thebjohn As I understand, devices which installed the app before the removal from China AppStore will keep it. But you cannot do new installations.
*Thread Reply:* Doesn’t seem to be entirely true, as we deployed Tunnel last week as part of a Field Test, and the 1 user we have in China as part of the Field Test has Tunnel installed 🤔
*Thread Reply:* Is device-based VPP in use? Maybe this circumvents the limitation somehow.
*Thread Reply:* Hmm, we are leveraging VPP for Corp only based on labels, not for BYOD
*Thread Reply:* Product Bulletin also states just Tunnel v2.2, I assumed this also applies to future releases, or it should? We see v2.3.1 in China on devices
*Thread Reply:* I just registered a test device and selected "China" during setup. Also added an Apple ID whichs Country was set to "China". Device-based VPP installation works for MI Tunnel 2.3.1. The Apple ID cannot find MobileIron Tunnel in the AppStore, only Centaur. I have no clue if this is a meaningful test result as the device is still physically located in Germany and the same device already was assigned with a VPP licensed MI Tunnel app before I wiped it.
*Thread Reply:* That sounds like a fair test @Tobias. It sounds like you’re being ushered-in to the China instance of the App Store based on the Country you selected (instead of being redirected based on Geo/Source IP)
*Thread Reply:* If that’s all it is though, just telling users to register as in another country is all it’d take to keep Tunnel running
*Thread Reply:* So even if you publish an app in Apps@Work using a bundle ID and select AppStore Country say United States, a person in China can still pull from the US AppStore even though Geo should route their device to the China AppStore?
*Thread Reply:* It sounds like China the Great would have taken that into consideration as part of their blocking…
*Thread Reply:* That’s my assumption. So for a global company, whether you publish in Apps@Work as US blanket across the board, devices should technically still pull from their Home Country Apple AppStore, that’s my assumption. But based on what we are seeing for Tunnel in China, something is funky here
*Thread Reply:* Regarding traditional app deployment through Apps@Work this should definitely hold true. The installation request contains just the App ID and the app is downloaded from whichever country app store the Apple ID is currently configured for. However, for device based VPP the same is unclear to me. Apple doc states "VPP apps can be assigned to devices or users in any country where the app is available, enabling multinational distribution for your enterprise". But how is the device-to-country mapping done?
*Thread Reply:* Btw, 德国 is chinese for Germany, if anyone ever needs to move back his Apple ID Country from China to Germany 😄
*Thread Reply:* @thomrburg can provide some insight regarding VPP here. I believe he said previously that an asset (app) is made available based on the countries selected by the developer. I’m not sure what specifically is used to determine -what- store the lookup/request is performed against.
*Thread Reply:* We have a user in China testing some scenarios for us. If it is in fact somehow reaching back to the US AppStore, then we have a problem. Moreso if it is doing it over cellular, which shouldn’t even work if it is communicating with the China public AppStore. I would also be very curious to see how other global companies are handling this, especially if they deploy their internal network in China, which has to route back out.
*Thread Reply:* Also, I don’t see any official documentation on the Centaur app other than what is published in the public App Store for the app. I would like to see some official doc on capabilities and differences between Tunnel, especially the part that was mentioned earlier about traffic being unencrypted and piped to Chinese govt servers, that would be a huge legality issue for us
*Thread Reply:* It was also a joke, but not far from reality I'd fear.. :p
*Thread Reply:* Although a joke, it wouldn’t surprise me. I’m finding it hard to believe the same app just published under a new name for China is all there is to it
*Thread Reply:* Got confirmation from our account manager after touching base with MI PMs, Centaur code is identical to Tunnel, only difference is app name for China.
*Thread Reply:* I wish there was something more exciting to their response
*Thread Reply:* Just to make sure, I was joking with the statement regarding the traffic sent to Chinese gov (even though it's not far fetched). Should definitely have added some mischeviously grinning smiley to the post.
*Thread Reply:* I knew that was the case, but as you said, it wouldn’t be surprising if that was the case. I still see this as being a workaround the China VPN issue by a name change. Maybe I’m wrong
*Thread Reply:* Also a sidenote: Hong Kong, which belongs to China but still has very many privileges, is not affected. Hong Kong has it's own App Store which is different from the China one and still includes MI Tunnel. Maybe this makes it easier for some companies which may be active in HK but not in the rest of China.
*Thread Reply:* That is interesting. That might explain why we have a test user in China who is still able to install Tunnel
*Thread Reply:* Do you have a reference article to this statement?
*Thread Reply:* No, I just switched an Apple ID around between countries. China and Hong Kong are listed separately. switching to China = no MI Tunnel, switching to Hong Kong = MI Tunnel
*Thread Reply:* So essentially, having an Apple ID associated with another country is a workaround, home country and physical location in China doesn’t matter...
*Thread Reply:* Well, we cannot know, if physical location matters, as I could not test that. I strongly assume that the Big Firewall prevents access to other country app stores on a network level, even if you switch your Apple ID to a different country. Also it's possible that iOS devices sold in China have a builtin prevention regarding switching AppStore country. Also this test does not shed any light on device-based VPP distribution as it is independent of the Apple ID. Customer will deploy a few test devices in Beijing soon, will update with our findings.
*Thread Reply:* We have a user in China, Home Country and Carrier both China. Apple ID associated in India. He is physically located in China, and confirmed able to access Tunnel. VPP is in India, so this may be why it is working, but I assumed the Great Firewall would be blocking it, it appears not
@thebjohn uploaded a file: Image uploaded from iOS
@Jason Bayton commented on @thebjohn’s file https://mobilxperts.slack.com/files/U1VJYP9S9/F8DCZSM1S/imageuploadedfrom_ios.gif: yup
Just saw that other thread on Centaur and now it makes sense
It wouldn’t let me post it in that thread for some reason. But yes, in regards to Centaur
Yeah, it appears threads are limited to just text, links and reactions for now
@Preetham Guram has joined the channel
Hello World!!!
Hey there @Barrie Codona, happy to be part of this group.
I worked with Mobileiron between 2012 and 2015
While I am still in touch with folks who build and support Mobileiron, this group is a great place to learn great stuff.
Thanks Eric. It’s great to be part of this group 😊
@Dave van den Bergh has joined the channel
Question regarding Self signed certs? We created a self signed cert with a lifetime of 365 days and we distribute it with our primary WiFi configuration. The cert was created on 12/30/2017 and we were wondering if a new cert needs to be created? Certificate Management logs show that the cert expires on 12/30/2017, which leads me to believe we need to create a new cert and should set the lifetime to much longer than 365 days?
Oh yeah, creation on 12/30/2016. Lifetime of 365 days.
And yes, certificates need to be renewed (ideally before their expiry, so that you can push them out in plenty of time before the transfer mechanism disappears)
You can create certs for longer timeframes, but of course, the longer the period, the greater the risk, which is why one or two years are the typical length.
Does this sound reasonable then?
The existing config/cert will work until 12/30/2017 and the devices will get a new cert when/if it connects before 12/30/2017.
Agreed - just ensure that there’s a 1(a) step there: ensure new cert is also accepted on the backend WiFi APs.
Yeah, we’ll be providing that information to our DNS folks to allow the cert.
@japple the CA issuing the certs should be good for way longer than 1 year. If the device identity cert is expiring, it will be provided a new certificate when the existing is preparing to expire (courtesy of the SCEP config). There should be no reason to create a new SCEP, when the one in place will work as designed nearing a cert expiration date.
@Woody, good point - I was reading this as a standalone, imported cert.
Or is this a group certificate (single cert created from an external CA and given out to many devices) and installed to the device certificate store? In that case, you’d need to obtain a new certificate from the external CA and hand out alongside the one that’s expiring. It will not self-renew, like a SCEP’d cert.
Self Signed Cert created in Core-->Assigned to a SCEP profile-->assigned to a WiFi config
Haha @Jason I have a little history with this one, if it’s the one I’m thinking of.
Yes, SCEP should renew that for the device on its own.
What raised an eye brow is many of these in our logs:
When did those first start appearing (as far as you can tell from the logs)?
Also, check the validity dates on the issuing CA. It should be good for awhile
We just noticed them last week, but they date back to 9/20/2017. And yes, it’s probably on iOS 8.3. Long story. 😞
Sorry to ask, but how to do you check the validity dates on the issuing CA?
Well, it used to display in the Services -> Local CA screen
Download the certificate, import it to your Keychain Access or Windows User Certificate Store and look when it expires
@Woody uploaded a file: Pasted image at 2017-12-21, 10:39 AM
Default is 30 years, so I’m almost certain it isn’t expiring any time soon
Interesting. Yup, you’ll need a new CA to issue certs moving forward. I’d recommend a CA life of 5-10 (or even the default of 30 years), so you don’t have to jump through this again later.
Not sure how that got set to 1 year but hey, crazier things have happened.
Weird indeed. But if you create a new CA and point to it in your SCEP profile, I am pretty sure the Core will start pushing new certs directly. This means your WiFi will need to accept certs from both the old and the new CA. Otherwise either one will not work and some devices will have WiFi access and others not.
Yeah, I was going to let the DNS folks know to accept both certs.
@Woody any plans to support smart speakers? Alexa, Home Pod Google home?
Not that I’m aware of @macbentosh. Do you have a particular use case you’re looking to accommodate?
@Woody this one came to mind when Amazon initially announced it
https://aws.amazon.com/alexaforbusiness/
That being said I think Amazon is trying to do this themselves with Alexa for Business
Our network will require settings to get on the WiFi. Maybe disallow skills or integrations.
@macbentosh what's features would you use on a smart speaker if skills or integrations were disabled?
Based on what @Kiran Patel provided, it looks to be a closed system for the time being. If you’ve got a provisioning device tied to your Business Alexa account, I think it could handle damn near everything applicable to your business (Skills enabled/disabled/allowed/etc).
Only thing I can see is a need for the ability to have sub-accounts for provisioning, management of devices, etc.
Ok here is a weird issue. iPhone x Email notifications on lock screen with privacy. (only show the context of the email when unlocked) Show my phone my face, phone unlocks, emails show text and subject, then disappear.
http://www.zdnet.com/article/my-favorite-iphone-x-feature-hidden-notifications/
Personally I turned it off. Too often my phone was lying flat on my desk and not staring back at my face.
I personally like this feature and some even tout it as an "Enterprise DLP" feature so you don't have to scrub lock screen notifications. Ideally there would be an MDM control to require that feature to be enabled for CORP devices (haven't dug in to see if it is). Just sayin... 🙂
not a feature the message go off screen not show the content
@macbentosh uploaded a file: This should happen I don’t think.
MobileIron Live ‘18 - Coming to a region near you!
Anyone seeing issues with Home Country Name not Reporting back to Core? Seeing this on 9.4 and 9.6.0.1
*Thread Reply:* Yes we have seen the same. Also incorrect Home Countries, but that is already a addressed: https://community.mobileiron.com/docs/DOC-7477
@lovelessinseattle has joined the channel
so the wallpaper policy is not centering it on the device. Do we Need one per device type?
I can’t say I’ve seen a KvP/setting that allowed to specify “Center”, so I’d guess you may need one to match the resolution per type of device.
@macbentosh iOS 11.2.5 is out and saw this that you may be interested in... "– Fixes an issue that caused Mail notifications from some Exchange accounts to disappear from the Lock screen when unlocking iPhone X with Face ID"
Core 9.6.0.2 update appears to have killed my lab :(
I would not expect a 404. 5xx sure if the tomcat services are stuck/dead but 404 suggests either redirecting to the wrong place or the update deleted stuff it wasn't supposed to, lol.
Good job you backed up before the update....right...?
Nah, I'm building fresh from 10 beta (when it drops), so didn't bother.
I think you can call MI support to get a quick fix
Jesus yep found it 😄 -- wait, no.. still looking
I’ve Demo’d MAM-Only in the lab @macbentosh. Yes. It’s got to be on two separate appliances.
Haven’t dealt with Box for EMM. Guessing they just provide additional controls over that specific app (above and beyond what’s on the basic Box app)?
can users use box with mobileiron deployment and without?
*Thread Reply:* From my understanding, it is one or the other. The Box for EMM gives you the ability to push the plist file and use the Box admin console to control DLP. If you don't leverage and EMM then you would just use public Box app. Did that answer you question?
We use box here. Users with and without mdm can use box but that is because that's what we configured on the box sevrer to allow.
Shortly we'll be rolling out ping infront of box authentication on mobile to vet if the device is mdm managed or not for conditional access.
@macbentosh yep running iOS/Android MAM Only + iOS/Android MDM with two cores
Now that this feature is officially supported, the implementation should be better
In CORE 9.7 Beta they support MAM+MDM on a single CORE normally
Anyone tried a work-managed AE deployment in 9.7? My heap of test devices can't finish enrolment (hangs forever on checking for updates in the client).
*Thread Reply:* I logged a bug in the beta portal but it's not even been sniffed at so far.
were not using emm cause one high profile user doesnt want MI
@here anyone using Assemble on Core with a space other than the default (1)?
how can MI enforce a persistent banner notification?
I'm setting up a beta core, however keep hitting the same snag - when I try to enrol I get a "mutual authentication error" that appears to be client side as the server is not logging anything.
It's built with the same SSL certs and provisioning is over HTTPS rather than 8080.
Both it and the prod core sit side by side behind the same HAProxy and are configured identically except for the hostname.
Client agent logs just repeat the same mutual authentication error with little else.. ADB isn't an option while enrolment is pending with this AE device.. but I can get it from another.
It appears to be related to the TLS provisioning port on 9997 secured again like the prod core with my SSL cert (SAN). HAProxy logs show the connection is being passed through successfully to the beta core, in the very same way it is with the prod.
Did you change or edit the default cipher suites on the Core?
I've made no changes there, looks at a glance to be the same as 9.6
When do you get the error during registration exactly?
Literally at inputting the hostname and tapping next. Doesn't even get as far as username request.
Hostname in Mobile@Work? What kind of registration are you doing, you mentioned AE?
Indeed in the M@W agent - I've tried both AE work-managed with the latest agent pulled from MI servers and standard Android via Play-installed agent. Same issue across multiple devices in LAN and 4G.
I've logged this with MI as well on the offchance I need an updated agent but I doubt that to be the case.
Ok, never seen that error before. Might be a beta issue, but does sound like a TLS/SSL issue, in particular because of the lack of substantial logging. Have you tried uploading the certs and chain again for TLS? The M@W app uses port 9997 for registration and my experience with MobileIron is that when there is not much in the logs, it is typically a SSL handshake issue.
Ah yeah, I've reuploaded the certs, reuploaded them to the prod lab and tested to make sure they hadn't corrupted (all works), rebuilt the beta core and went through the whole build all over again to make sure it wasn't just a weird glitch, have had the proxy logs running in real-time showing the traffic going to the correct place.. I'll keep looking until MI respond.
Only thing to test would be the HA proxy in front of the Core. Could you bypass it and have device connections land on the Core directly?
Yeah that's the plan next. I feel pretty confident though as I've been running this setup with every beta/prod duo since 9.x landed.
No difference directly natting all relevant ports to the core, mind you internally DNS overrides to the internal address anyway -which I also temporarily disabled for testing
Found the problem - spent all my time looking in the mics and just noticed this:
Catch 22; how would you get the client cert, when you are unable to enroll? Really should read the beta info, I know....
Beta documentation mentions nothing of it! Maybe they've just cocked up
Has anyone heard of the MobileIron agent on iOS not being able to update below iOS 9? I've been dropped into a call out of the blue where this is apparently a big issue for a customer and I've never heard of such a bug.
Never heard of it, but makes sense.
Remember recently apple required all app developers to have their apps submitted as 64bit apps.
So any device running anything less that 9.3 (I think) probably doesn't have the processor architecture to support it.
That is a very good point.. I've literally zero info to go on this so can only speculate currently.
A good number of them are iPad Air with a 64bit proc. 😞 I did notice converting to managed app is only available from 9.0.. so could very well not be updating automatically because of that. Also talking to MI the agent is supported from 9.0, but made available to 8.x as well, so possibly something to do with that.
It turned out to be a completely different issue - typical!
*Thread Reply:* It was nothing to do with iOS version, but agent version. Competing configs and one of them blocking app installations. There's a wider issue with the APNS losing connectivity as well. All bundled up into one "it don't work"
Has anyone else experienced the 'save' button being grayed out when editing a DEP profile or trying to add a new DEP profile in Core 9.5.0.0 and Core 9.6.0.2?
Nope, not an issue here. Do you have the Manage device enrollment (iOS only) Role assigned?
Yes, manage device enrollment (iOS only) is assigned. A few folks have reported the same issue in this thread.
I know what you mean. Saw that issue, let me check: it's a combination of fields you need to select/de-select/fill before you can save it. hold on
Thanks Mark. I've clicked and unclicked what seems like everything.
Did you enter a username and password for "Setup Managed macOS Admin Account" ?
Also, you will need to select "Show custom text on the Login page" and enter some text and then de-select it again when you do not want to use it. And... Select "Await device configuration during DEP setup" and make sure some value between 1-10 is entered and again, de-select it when you do not want to set it
Username btw may not contain "admin" or "root" I believe
Yes, I did test adding a username / password for "setup managed macOS admin account".
ok, I just tried all of these options and the issue persists. I did open case 00396144.
Weird issue. Just keep clicking on options and fill in the fields and on some point you can save...
Thanks for the help Mark. I'm able to get create new and modify existing enrollment profiles after going through what you laid out again.
Does anyone know of any practical issues with running Core/Sentry in Azure?
Except for a special Sentry, it's not supported to run the Core in Azure. So for production servers, that would be a practical issue. The Sentry is kind of like a template you can select in AWS/Azure, I believe. Without it, you probably can't configure it like an on-premises virtual machine?
Ok good to know. This is the first Azure related query I've ever had so interesting if nothing else!
This will make for an interesting read: https://community.mobileiron.com/docs/DOC-6600. If you search for something like "azure cloud installation" on the MobileIron communities website, you will also find the installation guide.
has anyone setup MAM only on another core? Do you link the cores together somehow or just let them run.
I've not configured this yet, but reading through the Apps@Work guide, you would configure these as 2 separate servers that are not linked together.
One would be your EMM Server (MDM & MAM) and the other would be just MAM.
Correct @Barrie Codona, they are run as two entirely separate instances ATM @macbentosh
any good way just to make a backup then restore it
*Thread Reply:* System backup via the MICs is pretty bulletproof
*Thread Reply:* Was looking at backing up current core and restoring to the mam core
*Thread Reply:* So you should be able to run a system backup, then restore it to the mam server without the system settings. I haven't done it this way yet (always restore settings too) but it's been flawless each time.
*Thread Reply:* Yes but doing this requires to remove the APNS MDM certificate in the DB. Note that Core 9.7 will support MAM only on the same CORE
*Thread Reply:* Core 9.7 will support MDM + MAM only on the same Core
*Thread Reply:* how can you separate the configs?
*Thread Reply:* Didn’t tested yet but I’ve seen it the release notes in Centercode beta portal
*Thread Reply:* MAM Only
Ability to disable profile installation for iOS MAM-only devices
*Thread Reply:* You need to ask to your MI sales or system engineer
Anyone implemented custom branding in Core? We rolled ours out this last Thursday after our Production upgrade to Core 9.6.0.2. The reason I ask, is I noticed the configuration associated with it (System - iOS Enterprise AppStore) has seriously slowed down in pushing this config to remaining devices in the Watch List. Any way to speed this back up?
Random ? in case any one knows. One of our Sentry's was built with a typo in the enable password. Is there an easy way to change just the enable password and not have to rebuild the entire config?
@macbentosh Devices are checking in, Core just seems to be slowing down in processing this push
@Kiran Patel Change the Enable password in the Sentry GUI:
@Kiran Patel commented on @Barrie Codona’s file https://mobilxperts.slack.com/files/U7JE59F0B/F9C2FGZ18/image.png: Wow thanks, that was a brain fart on my end! Appreciate the help Barrie!
@Barrie Codona commented on @Barrie Codona’s file https://mobilxperts.slack.com/files/U7JE59F0B/F9C2FGZ18/image.png: You can also change it via the CLI from within the Configuration Terminal using the 'enable secret' command.
@here is anyone using Core with SAML and an IdP other than ADFS? Perhaps one that does not allow for the upload of the SP Metadata (e.g you created the corresponding IdP Service by hand)?
@Woody Not at the moment. We are leveraging ADFS but now getting into KCD for “SSO” type auth
@thebjohn Okay. Just working to create an integration guide and curious how it looks for other IdPs that have manually created services.
so our sec policy says we allow 30 min. Device only allows up to 5
You’ll find that the “Max” in a policy can always exceed the Max that said device will allow. Phones never have allowed for more than 5, where iPads have an upper limit of 15
so can i push another config to set the time i want within the limits
You can’t actually set “never” as the option that user-selected on the devices or any value for that matter. All You can do is define the maximum allowable value. To allow never as the maximum allowable value, simply do not define an auto-lock value in your profile.
So you could do a Policy for iPhone (5 Min) and iPad (15 Mins)
So there’s a default value, enforcement and the user can set any value they want in the range
any issue with core being on 9.6.0.0 and sentrys being on 9.2.1?
@Woody uploaded a file: @macbentosh from the Sentry 9.2.1 release notes:
asking because i’m having an error with docs@work
Sentry sees Core as the Mothership/Brains of the Operation. So, it’s usually a bad thing if the employee is more up-to-date than the Boss. Reason being is that the newer Sentry may have more functions available than the Boss can support
I wouldn't go up to 9.6.0.2 .. took out two of my lab cores with a bug requiring a DB edit.
last time same issue for us. Will I be ok with my sentrys on 9.2.1?
also getting an invalid response from server. if the issue persists, contact your administrator. From a working cifs share. I can connect to it from my mac at smb:// but the docs@work config is https://
Personally, I would rebuild each and lower them down to a Core 9.6.0.0 supported version (in case you need to launch a support case).
@Woody uploaded a file: 9.6.0.0 Supported Sentry Versions
@Woody can I restore from a snapshot without issue?
FYI I configured a Surface hub today to authenticate using certificate to a Radius (802.1x) in a Wired network :-) Worked fine using SyncML
Per-App VPN availability for macOS. Core 9.7 release or still TBD?
*Thread Reply:* Confirmed as beta release in Core 9.7, so fingers crossed!
@macbentosh regarding your CIFS issue with Sentry 9.2.1 - this might be due to support for SMBv1 being dropped in Sentry 9.2.x.
Apparently partially based on our work with IronWorks, which was a pleasant surprise!
@Woody commented on @Jason’s file https://mobilxperts.slack.com/files/U7HRBAQGY/F9LM5PX52/imageuploadedfrom_ios.jpg: Congrats, Jason!
MobileIron must be handing these out in alphabetical order and reached Ja(son) now 😀
@Mark Vonk Hahaha! You’re pleased they’re not doing it by surname, I guess? 😉
@Jason Bayton - I think Paul and Jim were happy to accept on your behalf. Well done!
It's a pretty incredible name, though I'm probably biased.
Well, I’m not sure names work that way, Paul…
Anyone deploying Exchange Mail configurations to macOS via MI?
@Jason Utikizing am IMAP config I’m assuming? Pointing directly to a EWS externally accessible URL?
**as in, both should work, but you may find EAS support in Mail, erm, interesting?
https://support.apple.com/en-gb/HT201951
I will be honest, I have found the Apple Mail app to be awkward to use with Exchange.
Outlook for macOS is not ideal, but also an option.
So you had to manually configure and couldn’t push out this config via MI Email Configuration? I referenced this article earlier
We did this a couple of years ago and it worked then - however, I haven’t tried recently.
We currently do not have EWS enabled on Exchange. Currently, only way to access email on mobile is through our Sentry’s which connect to Exchange via ActiveSync. I’m currently ID & Assessing macOS capabilities, and wanted to know ins and outs of email for macOS.
Nope, sorry, just checked and yes, we’re pushing EAS settings out via MI to macOS devices.
(I don’t use Mail for the reasons I’ve already hinted at, but let me check)
Yep, working in Mail with EAS settings pushed through MobileIron.
So the standard Exchange configuration (as we use for iOS) pushed out to macOS devices as well. Mail app picks this up and runs with it fine - just checked inbox sync’d correctly and running as you’d expect.
Personally, I cannot stand the Mail app, but it does work.
Your power users (esp. if they’re moving from a Windows background) will probably ask for/expect Outlook instead, which can be manually configured to work with EAS too, of course.
Interesting, I’ll have to test tomorrow to see if it works for us too. That protocol isn’t supported, so I’m a little baffled.
I believe EAS support has been in Mail for a few years now. It also supports Contacts and Calendar too.
(Saving you from having to push out CalDAV or CardDAV alternatives)
I’m going to test and get back, based on documentation, this shouldn’t be working
Apple site your just references as well as the latest Core 9.6 doc, device management for iOS and macOS
I believe in macos it pushes the profile as an ews profile not activesync.
@Simon Hardy-Bistagne That makes more sense. I’ll test again tomorrow and see, as our standard Exchange config is set to use ActiveSync, as I imagine a majority here who utilize Exchange are also using for iOS and Android
I assume this applies to Core as well and not just Cloud
Yes, @thebjohn - Any time a Exchange config heads to MacOS, it is interpreted as EWS
@Woody I was not aware this was the case, good to know. MI documentation did not seem to specify that in the iOS/macOS guide for Core 9.6+
Yeah - I don’t believe it’s even a function of the EMM. It’s more about how Mail in MacOS interprets and installs the config
@Woody I plan to test again tomorrow and see how it goes. Thanks for the insight on this everyone! I’ll let you know how it goes tomorrow
Ah, just learnt something about the magic behind the scenes there. Thanks.
I did confirm the mail config gets to the MAC this morning, but Mail app does not recognize any config for Exchange
I confirmed with our Exchange guys that EWS leverages a different URL, so I copied our existing Exchange config for iOS, and created a new one to leverage the EWS URL, unfortunately no dice. Gets applied to the device, but mail app doesn’t recognize
It's that down to the config or a conditional access role in the o365 platform blocking macos?
SEG I don't think can enable ews so you need to enable it on the o365 side manually
Does it work by manually configuring the Exchange settings in the app (well, system preferences)?
Strangely, I got it configured, but doesn’t seem to be connecting, get an Account Error in the Mail app on the Mac. I’m working with my Exchange team now. They had to enable EWS for me and tweak a few things. Being that it would not leverage our alias for passing through Sentry as we have for ActiveSync devices, I’m in discussion if a new alias which would then have to be configured into Sentry would be necessary.
Wireshark and firewall logs are your friends. 🙂 Good luck and happy hunting!
Curious @thebjohn - Does that same account work with a manually configured entry in Mail?
@Woody It authenticated but then shows account error. I’m working with our Exchange guys to see if EWS is only accessible internally, which I’m guessing so. Meaning I would need to create a new entry in the Sentry ActiveSync Server config in Core for the EWS URL, assuming it supports it and multiple “ActiveSync/EWS” Server config
Sentry documentation says supports multiple domains for ActiveSync, but nothing for EWS
The best you can do in this scenario is create a separate Exchange config for MacOS that points direct to the EWS service. Sentry will not be in a position to accommodate EWS traffic.
Core documentation sucks and does not reference EWS in the way Cloud documentation @Simon Hardy-Bistagne provided
@Woody So basically direct connect to EWS and no pass through Sentry, that’s going to get shot done real quick here lol
Right. Sentry is just an ActiveSync proxy. Just start looking at securing the EWS service itself. O365 or On-Premise?
If nothing else you could force EWS traffic through a VPN/MobileIron tunnel and allow access to EWS only from on-premise tunneled network segments.
That would at least accomplish the task of proving that the connection was coming from a managed device.
Oh, I didn’t think about that. So potentially leveraging Tunnel Sentry to pass through EWS traffic. Assuming I wouldn’t have to then Tunnel the Mail app as it passes through Sentry and can’t do per app VPN on Mac yet anyways
Yeah, I’m just tossing out ideas for future consideration 🤓
That’s the closest thing you could have as an “EWS Proxy” I suppose.
Per App VPN (for macOS) rumoured to be in Core 9.7, which is due very soon, allegedly.
Cloud will have it too - not sure which one you’re using?
We are Core, currently at 9.6.0.2. I’d be interested to see Tunneling the native mail app and Remote Desktop client for Mac. Looking forward to 9.7 (assuming this capability comes with it).
I’m curious what would happen with Per-App VPN for Mail if a user added their personal GMail as a tenant. Surely there would be a URL filter component applied.
Or it would only tunnel traffic for managed configs inside Mail
I’m guessing the latter, that’s the ideal
I’m guessing the former, as the VPN applies to the app, not the container/email settings
You’d have to either accept the tromboning of the data, or block it by firewall/web filtering
@Jason So possibly deploy Outlook or a third part client for Exchange mail
Or… flip EWS to use CBA or something that an unmanaged client could not produce.
You then eliminate needing the VPN/Tunnel all together
@thebjohn Is this a corporate owned and managed device?
Scope is currently just personally owned (BYOD)
Hmm, VPN is somewhat out of the question then. I would go down the Tunnel route.
Why not use the seg URL as a proxy for the ews traffic?
Ah sorry yes... Same thing....! 😀
Just have the ews URL point to your sentry to proxy.
No need to VPN or tunnel
AFAIK Sentry cannot proxy the EWS traffic. It can handle ActiveSync and AppConnect (MobileIron proprietary)/Tunnel (Device Native/Per-App VPN).
But no AppConnect for macOS, so that’s academic in this case, unfortunately.
I do wonder if that could be easily bolted-on, because you’re probably going to see shops requesting the function
I’ve never heard of proxying via Sentry for this, either, btw.
I’ll just have to wait and see what’s in store with macOS per app VPN in Core 9.7 (potentially)
Looks like Cloud will be down for a while yet 🙄 🤔 😕 😬
AnyConnect Legacy will no longer be available for iOS 12
Default update URL? 9.7 released with no announcement because they're running behind.
MobileIron Core upgrade URL Use the following URL if you specify an alternate URL: https://support.mobileiron.com/mi/vsp/9.7.0.0-58/mobileiron-9.7.0.0-58
Core 9.7.0.0 has been removed due to upgrade issues. 9.7.0.1 will replace it.
MobileIron QA process has been challenged of late - or so it would seem....
And over a permissions issue as well. Linux 101...
I'll take the bugs Simon, thanks
I think it's hard to maintain the current flow of Core updates. We have customers running Core since Core version 4 or 5. With all the different versions, upgrade paths, etc. it seems hard to get the updates correct and tested. I do believe they are working on a new code base for Core (based on Cloud) which should be a lot easier to maintain. Some of the basics in Core do need a complete overhaul I think. Hopefully migrating / upgrading to the new infra will be easy, but I am scared it won't be.
TBH, all the releases from AW, MI, and MS I've seen lately have been full of bugs, broken functions, or simply poor QA. Seems like they're all struggling to keep up with the constant demand for new features.
upgrade path MI releases it - Hit install - Open a ticket for them to fix it.
Back to business.. setting up kerberos auth on SSRS (sequel reporting service). Would w@w work with that?
https://stackoverflow.com/questions/40253751/ssrs-2016-native-double-hop-windows-authentication
Provided you’re able to delegate the MobileIron Sentry SPN to the SSRS SPN (and the SSRS front-end supports Kerberos/IWA auth) - It should work
did anyone have issues with docs@work after the latest core upgrade. Having major permissions issues with shares
*Thread Reply:* Did you end up on 9.6.0.2 or 9.7?
*Thread Reply:* Do you have collapse Docs@Work configs enabled? What types of issues are you seeing?
*Thread Reply:* @macbentosh going all vague-Slacking on us
*Thread Reply:* Q: How did you determine the issue is caused by security groups not getting recognized? A: When Devices try to access the share using Active Directory Groups they are not allowed. When they Active Directory User Account is then added explicitly they are now able to access the share.
Q: If you open up the permissions on one of the shares in question were you able to access the share without issue? A: Yes but only through a Workstation or Laptop. Both MAC and Windows machines are able to use the groups. Apple Mobile Devices are not
Q: What security group is in question (and is it a user or device based group)? A: These are Active Directory Groups, with Individual Users in each. There is no Nested groups involved.
*Thread Reply:* That’s odd, since you’re keeping it simple on groups (not nesting). What error do you see on the Sentry when the client displays this error?
*Thread Reply:* dunno logs were sent to MI….Still waiting. Per them there is nothing wrong as sentry is just a proxy.
*Thread Reply:* Gotcha. I think you went through this earlier, but said shares are using SMB 2.x+. Right?
Hey guys - looks like I've walked into an environment where the MobileIron Core provisioning port in Prod is still set to 8080. Has anyone gone through the process of converting this to 443 and deal with all the cert renewals that go along with it?
*Thread Reply:* also that being said, security concerns aside do you know of any issues with leaving it at 8080?
*Thread Reply:* @Kiran Patel I’ve gone through this a couple times in the past. When you convert the provisioning port to 443, it basically just enrolls any new devices over 443 (SSL) instead of 8080 (HTTP)
*Thread Reply:* So, the only issue you’d encounter (after switching) is that if a device had enrolled using 8080 and tried to re-install their MDM profile, they would need to Retire/Re-Enroll (because the original profile was created/stored referencing 8080 which is no longer available)
*Thread Reply:* @Woody thanks man! It would also re-push SCEP certs and resync email right?
*Thread Reply:* No - The enrollment port only pertains to new devices coming in. Anyone who was already enrolled is part that point (and thereby not affected)
*Thread Reply:* really? We were told by support since the port is also referenced in the Local CA for the information URL & distribution point it would force certs to get re-created
*Thread Reply:* Provisioning port changes Local CA CRL endpoints to 443 port (which is by the way stupid...!) I don’t think it will regenerate certificates, except if there is a new way introduced in Core since few versions. I’ve done this without issues in the past too
*Thread Reply:* Ah yes, that’s correct @Kiran Patel. I forgot, it does update the CRLs from Core.FQDN:8080/CA to https://Core.FQDN/CA. It’s been a minute, but I’m with @NicolasR on not re-generating certs. I can spin-up an 8080 Core and check, if you like.
*Thread Reply:* Thanks guys, no need to spin up as I should be able to test this. Thanks again!
*Thread Reply:* Once set to 443, do not change it back, there's no reason to do so. If it is reverted back to 8080 new devices will fail to enrol. It's not obvious at first, usual troubleshooting,: checking MDM and Enrolment certs with much head scratching, until you look in System Manager and see it back on 8080.
@RobE commented on @macbentosh’s file https://mobilxperts.slack.com/files/U5BE2DYRH/FA2F3NW58/image1.png: Is this on iOS?
BTW, Core 9.7.0.1 released last night.
So far seems to have addressed the Redis issue and a few others we had found in our own testing. This is still taking place though, so caveat emptor - as always with these technologies, we warmly recommend testing in QA before rolling out to production.
i've not done any of them in a long time... they were not too hard imo
even allowed you to take the online test as many times as you liked until you passed
A number of these are based on older product versions.
Agreed. But still something good to set as a KPI for your team.
I've done the same
@Simon Hardy-Bistagne My post was a cautionary note for taking these. One exam example, what ports do Core and Sentry communicate on? It hasn't been 9090 and 443 for some time. So think old for the exam and not what's actually changed
Yep, I think all of them are in the same boat. The product evolves too fast for the training and certifications to keep up.
Tbh, looking at my MI certs, I did mine back in 2013 and there were those kinds of issues then.
Can't see that changing anytime soon.
They're about to launch a brand new learning platform 🤷♂️
cost?
There’s never been an associated cost for MobileIron University. Just entitled to it as being a customer. @macbentosh
correct - free, even the certs which you can download
great password in vault isnt working and the reset link sends me nothing…
Contact your MI rep to get it reset I guess. There's an address but I can't find it offhand.
if i remember rightly, my login way my email, with ".mi" at the end.... not sure if that was just me though
did MI just send me my password in clear text…
They should hire T-Mobile to come in as a consultant and help them fix that
Have to admit that was a pretty eye-opening thread to follow on Twitter
https://twitter.com/c_pellegrino/status/981409466242486272
Core 9.5 fondamental is out but still old for intermediate
9.5 is pretty outdated compared to 9.7.. they could have dev and training work in tandem to create content as features are worked on, but that sounds too much like hard work :p
I have a user that will get an appt setup and exchange will sync it to his phone. If the location is updated the appointment will not display the correct location till the event is opened.
where is everyone @here staying at for Live!
@macbentosh iOS right? Seen it before, thought it was an iOS bug. I am staying at the Holiday Inn at Alexanderplatz.
the event isnt at a hotel this year? I liked just booking it all together
I meant the MobileIron Live! event in Berlin too. We’re staying at the Motel One in Berlin.
@here Anyone have a method of updating all URL references in Core when the hostname is changed?
Most have updated, but the URL in the System - macOS Enterprise AppStore Identity Preference and Mobile@Work server name population won’t budge
Looks like the option to connect remotely to Core using Telnet in 9.7 is gone. #AboutTime
@Woody You'll need to edit these in the mysql database manually and then restart the tomcat service. Changing the hostname would also need you to retire all of your devices and then re-register them. I'd therefore recommend just building a new Core server. But for the sake of testing, you can update 'System - macOS Enterprise AppStore Identity Preference' in the database by updating the value in the miappsettingentry table: update miappsettingentry set value = "https://[newurl]/[path]" where value = "https://[oldurl]/[path]"; You can get the [path] from the configuration in the Core Admin Portal.
Thanks, @Barrie Codona! Of course, I went ahead and blew it away. Taking note for future scenarios 🙂
On my lab, I've tried dumping the database to a txt file and then doing a search and replace on all the the references to the old hostname. But got errors when trying to import the updated file back into the mysql database. I'm sure that it should be possible to create a script that reads every table and automatically updates them in the database.
Filtering Apps in AppCatalog in Core admin using a Label available in Core 9.7 #AboutTime ;-)
The same for category management. Not sure if it was a 9.6 or 9.7 feature, but it sure beats writing web service calls
Ah, our upgrade to Core Core 9.7.0.1 Build 9 this morning killed the last few hundred Windows Mobile devices. Email profiles got lost.
9.7.0.1 having issues with any outbound proxy or communication for us. Quality sure is slipping for these releases
@Duncan Curious, Windows 8, 10 or a variety of both?
WP8.1 and WP10, but not all of them it seems. When removing and adding back the email config it started to work again.
downloading 9.7.0.1 how long does it take to verify updates
so Mobile Application Management only didn’t make it to 9.7?
I was told that with 9.7 a second core was not needed
I think you can separate labels for installing the system MDM config but not sure this is how it supposed to work
Good day all, Are any of you having success with Core 9.7.0.1, Graph API's and controlling the Microsoft Apps on the mobile devices and restrictions please?
@JaxxUK I haven't yet but planning to possibly later this month
so what’s the solution for “app” is already scheduled for management
Does anyone know if Email+ works with POP3?
No, Email+ is only Exchange ActiveSync protocol
Anyone here running Sentry 9.3.0 with Exchange 2016 CU9 and Exchange 2013 CU20? Based on testing in QA, no issues, but Mobile Iron does not officially show either as supported or compatible, and were told likely won’t in the Sentry 9.4.0 release.
Is anyone familiar with this "issue"? I don't have an iOS device to test so this is based on as close to a clear workflow as I've gotten from the customer:
I'm not sure if this is limited to MobileIron or wider, but would be great to hear if this is known about.
*Thread Reply:* Normally I've seen this when the end user has a Sim card pin active.
iOS won't allow wifi connections after a reboot until the device pin is active, and the Sim pin unlock comes after the device pin...
Try a different Sim card.
*Thread Reply:* Definitely not SIM related as they've replicated it on a number of devices. Supposedly the agent doesn't communicate with the device until after it's unlocked following a boot (paraphrasing).
*Thread Reply:* Never seen that. Typically as Simon said, its due to the fact the device does not have network connectivity: ie sim locked an no WiFi. If it has a connection it unlocks just fine in my experience. The agent does not need a connection: the command is send via APNs to the device directly, not the MDM client.
*Thread Reply:* I'm pleased to hear it's unusual I guess.
"OS won't allow wifi connections after a reboot until the device pin is active"
Isn't that essentially the core of this issue?
*Thread Reply:* That's BAU for iOS as until you unlock the device for the first time after a reboot, the wifi keys are all still encrypted in the keystore.
Now that I'm saying it out loud, it would case an issue resetting a password on a wifi only device that's been rebooted.
If the devices aren't wifi only though it does mean there's an issue somewhere.
*Thread Reply:* @Jason Bayton This is a known issue. MobileIron even put out a product bulletin on it (https://community.mobileiron.com/docs/DOC-7148). We have definitely experienced this on multiple occasions. Not just WiFi only devices.
@here anyone have a visual on a Core Admin Portal? Does a Managed App Config still need to be uploaded as an XML or is there a wizard now?
@macbentosh uploaded a file: Screen Shot 2018-05-10 at 8.13.18 AM.png
@here there is a wizard depending on the application
Do me a favor @Kiran Patel or @macbentosh - See if there is one that exists for Okta Mobile
i do recall seeing an “App Config” tab inside app sections in Core
Can’t say I ever came across an app that actually had a box to create an entry, though
so why does the venue for west look like a house? 1006 Chantilly Rd, Los Angeles
Hey @Woody & @macbentosh - apologies spaced replying on this. To complete my comments, in the event they make the xml schema to mobileiron they have a UI around it. I've seen it for Salesforce and a few other apps. Check the Apps@Work pdf under the core documentation. I'm not sure if this is supported in Cloud but would be surprised if it's not
I do not see this available for Okta Mobile. Example for it is looks like for Box for EMM & Salesforce.
Yeah, it’s there (and fairly robust) in Cloud. Seeing the same in my Core (now that it is back up)
That top screnshoot is box. Here is one for Salesforce1
you can have a default config or unique configs and apply by label
Yup - i was trying to find the document but I recall reading a while back that they committed to hosting the schema file from there
@here Besides enhanced management of Windows devices, are there any other benefits of using Cloud + AzureAD?
@here what do you do when an in-house app fails to install?
Any errors as to why it failed in the logs?
Users storage isn't full is it? I've had that a few times
the device that works is 11.3 the device that is failing is 11.3.1
Can you get the iOS console logs? Should have an error which could point you to a solution.
I concur with @Mark Vonk, scrape the device console logs from Configurator or XCode while it fails. I’m sure you’ll see why
I’d appreciate some feedback on these videos we’ve put together for our IronWorks solution, please?
I’ve got a reminder to check them out @Jason. Long week/weekend
@here - Has anyone configured MobileIron’s Cloud to communicate with an LDAP as a service, such as something like JumpCloud?
*Thread Reply:* yes, it works… or atleast it did…
*Thread Reply:* Right on. It’s very similar to the Okta LDAP interface. I’ll see if I can get it rolling. Thx @Alex Mercer!
Our Cloud customers use numerous directories, probably also JumpCloud. Usually that‘s working absolutely fine, as long as the destination provides an RFC compliant LDAP interface. - What are you aiming for?
@Fabian @Jason I was looking to see if it was possible, since most MI Cloud deployments you see revolve around using a Connector. I’ve got it going in AirWatch and wanted to mirror the same arrangement in MI Cloud.
@Woody you want to integrate LDAP without MI Connector, right? If so, no, it’s not possible AFAIK
Run Connector in a Cloud instance is a horrid approach.
Afaik MI is working on that. Basically the same issue like with Sentry and MI Cloud.
@here in terms of Cloud and using AAD as an IdP/User Source, is a connector required? Stepping back to the conversation we were having yesterday about LDAP as-a-service (and not working w/o a connector in place)
From what I can tell, you’re able to use it without the dependency of a Connector
Well the screenshot says it all I would say. To connect it with AAD as your IdP you do not need a Connector. But actually some more is available: In order to use AAD, you need to set up your IdP for user authentication in one of the following methods:
You can't add multiple sources though. You can't combine a LDAP with the connector and AAD.
And do not forget to create some backup local accounts. In case you misconfigure something or your IdP is not working, you can still access the console as an admin
You can read more in the help by searching for Azure or IdP. AFAIK is was introduced in Cloud by accident. Documentation is a bit scarce.
Nice, @Mark Vonk! Admittedly, I’ve not implemented it yet, but that is attractive (since it is the only path that doesn’t appear to require a connector
My guess is that MI will continue to follow the model they established with AAD Premium (as @Fabian mentioned) and help move everyone into a true cloud-to-cloud arrangement.
Completely different topic; I had a nice discussion with a customer‘s security guy about TLS 1.3 and it‘s implications for enterprise networks, mainly in regards of the omitted renegotiation feature. Of course TLS 1.3 does drastically speed up TLS handshakes, but we concluded that most vendors and standards will skip this TLS version (except for the ciphers). What do you think?
This is somehow also MobileIron relevant, as TLS 1.3 requires a dedicated port or FQDN (with SNI) for every connection using client certificates. Per CA.
Why is it felt that most vendors/standards will skip 1.3? Just too much overhead required to implement an update for a minor version (and worth waiting until a 1.4 arrives with tweaks/optimizations/etc)?
In general, yes. Too much stuff that would have to be changed drastically.
Many things will not work with 1.3 without extensive changes on application level
That makes sense. Almost like it needs to be under a TLS 2.0 heading so vendors can maintain v1.x until they deem it worthy of making a jump
I was wondering whether someone already spent time on it, as TLS 1.3 has some real benefits for mobiles and high latency connections. At a high price.
how can I create a label but exclude devices in another label
*Thread Reply:* Was literally trying to do this yesterday and don't think it's possible.
*Thread Reply:* Ended up using device name as our use case is to exclude a kiosk device if we want to kick it out of single app mode
*Thread Reply:* Unless things have changed, you can't nest labels within labels in MI. You have to create AD groups and exclude them or key off of AD attributes or another MI field (display name, device info, etc.).
*Thread Reply:* Not possible indeed. You would need some other attribute (device, OS or LDAP) to exclude it from the label.
*Thread Reply:* Basically the condition of label 1, just negated, in addition to the already existing label 2 conditions. For such criteria it is good to be able to manually design the search filter :)
*Thread Reply:* Contact Miriam Geller from MI. I asked for this years ago and she’s told me that it would be coming sometime.
*Thread Reply:* If I remeber it correctly, Miriam is no longer with MI.
*Thread Reply:* And the dream of nested labels departed with her it seems
No one going to live tomorrow?
I’d say she owned that event, @macbentosh. Made lots of pictures!
ill look at the pics ben see if i find yah
need to add that guy to this community too!
alright all I have a question? Who here has had to migrate a virtual core and sentry off of an amd host and onto an intel host?
*Thread Reply:* Shouldnt be an issue, as the MI CentOS kernel contains the Intel specific optimizations. If it is already working on AMD, everything should migrate well. I would have struggled the other way around. However, habent tested that yet.
*Thread Reply:* Probably worth being mentioned: Core and Sentry have different CentOS main versions. Will be equal again with Core 10.
@here Curious how many people implement G-suite today…kinda seems like smaller companies over large enterprise, and maybe govt/edu its good for… curious.
None of our > 300 MI Core customers is using G-Suite. Only a bunch of MI Cloud customers does, perhaps 2-3%. Likely an EMEA specific phenomena ;-)
SMB mainly, only a few enterprise level I've ever seen.
2 of our MI customers (large enterprises) Less than 5% of our install base
As of January 2017, Google has 3 million businesses paying for G Suite,[77][78] while it has 70 million G Suite for Education users
I know the Airbus group is migrating from Exchange to G-Suite and they are massive
A few of our customers, small and large, are G-Suite users. We’re mid-migration ourselves too.
That said, the majority are still either live, moving or planning to move to O365.
We've got a few GSuite customers, but the company just brought on a microsoft consultant so that really says enough I think.
Move to Office365 mainly for our customers. Only one large (5500 devices) moved to Google. Still on MI and using the specific Core and Sentry functions for Google apps (like google password set by Core for Activesync through Sentry)
Frankly the lack of activesync support makes gsuite a no goer if you want to use native apps like iOS mail.
Indeed, G Suite does offer ActiveSync. ActiveSync has only been removed for free Gmail accounts.
Fair enough... Never really played with it, thanks for the info
*Thread Reply:* He says after making an authoritative statement on lack of support: "oh but I've never touched it" 😋
*Thread Reply:* I use it day in day out for my personal mail hosting, just never managed to find full activesync support despite looking.
*Thread Reply:* It's G Suite basic and above only. They've got docs covering it 👍
Gsuite can be configured with native iOS mail and adding MI Access or Workspace One to manage access control does the job
For Core you need to upload a custom iOS profile but it works
So, strangely two of our Cores are no longer syncing with DEP but three are syncing without problems. We've reached out to our program agent. Waiting to hear back if she is prompted to agree to new terms of service. Seems unlikely since some of the cores aren't having issues and we haven't switched over to Apple Business Manager.
I'd say it points to the sync service on the core then, but odd it's happening to two at the same time?
The cert hasn't expired has it?
Oddly, our hosted AirWatch server also stopped syncing with DEP/ABM.
Odd indeed. Nothing expired that I can see. DEP tokens on those Cores are good until December.
Could be a coincidence. Mind if I name drop you as having the same issue in my Apple case @aaron?
Be my guest. Not sure how far that will get you though!
lol. I'm engaging Apple and MobileIron to cover all bases.
Subject: [EXTERNAL] Re: [20000003660361] DEP is not syncing to two of five MobileIron servers
Hello Jonathan,
Thank you for your escalation. Apple is aware of an issue that is likely causing your reported symptoms. I will add your impact to the existing ticket and will let you know as soon as I have an update. As always, if you have any other questions or information about this issue, please let me know.
Kind regards,
Daniel Angri AppleCare Enterprise Customer Support Engineering
We are back in business now. Both Cores synced up. Must have been an Apple thing.
Anyone @here have to tweak timeout values on the MI Sentry when using on-prem Exchange ActiveSync? I'm seeing a fair number of timeouts for Sync events but haven't been able to nail anything down as a root cause. Users are reporting intermittent calendar sync issues, resync, etc. We've already worked on persistence & timeout values for the load balancers, fw, etc.
*Thread Reply:* to clarify by timeout i mean specifically AlertID HTTP503
*Thread Reply:* (AlertOrigin=Sentry, AlertId=HTTP503) Got exception during server-to-device processing, Sentry reporting error to client:Write timed out
*Thread Reply:* (AlertOrigin=Sentry, AlertId=HTTP503) Got exception during device-to-server processing, Sentry reporting error to client:java.net.SocketTimeoutException: Read timed out
*Thread Reply:* The only timeout tweaks I require adding were when proxying out to O365 (since there was obviously going to be some latency there)
*Thread Reply:* Anything on-premise (with 2+ CAS) always did fine with the defaults
*Thread Reply:* Hi Kiran, You can up those but id consider checking in with support if your running into issues after you up the timeout values. I usually try doubling the defaults for an issue like that and see if it helps.
*Thread Reply:* i.e 30000 to 60000 and 60000 to 1200000
*Thread Reply:* Have all network infrastructure in between allowing tcp idle timeouts of 1800s (MS recommendation). Other values work, but have to be consistent across all infrastructure.
*Thread Reply:* The 503 in general is normal behavior. E.g. an IBM Traveler would report a 408 conflict to devices. When a device is waiting for an update notification in a ping command, this connection stays open until the server responds or the tcp idle timeout is exceeded. However, if the device user does for instance do a contact lookup or whatever eas command, the existing ping command connection will be dropped by the eas server. This is translated to 503 by Sentry. Once the device‘s needs are fulfilled, it will issue a new ping command.
*Thread Reply:* 503 can have other causes, but in general it is normal behavior.
*Thread Reply:* I concur @Fabian, they do seem to be the accepted norm in this regard
*Thread Reply:* thanks everyone for the feedback on this. Appreciate it!
So, err..
The upgrade to Core 10.0.0.1 has stopped my Android devices from being able to check in.
@here fyi
C2DM was a red herring, no idea why that’s still erroring. Seems rebooting the devices is bringing them back, but I’d hate to need to tell 4,000 users to do that..
10.0 client is rolling out in stages right now
Core upgrade was a red herring, had a P1 this afternoon with a customer still on 9.6.x - exact same issue. Spoke with eng who have an outage for GCM over the weekend which may resolve this.
Email+ for iOS: does anyone know if it is possible to prevent certain outlook folders from syncing into email+? Since there are no KVP in the guide my answer would be NO!
My guess would be you could only do that via exchange policy.
GCM work resolved checkins, everything is back to normal. 10.0.0.1 seems alright
Well ladies and gents, I was offered a position working in the Connected Vehicle space, and will be moving on from working in the EMM/MDM space at my organization.
Was anyone able to configure open in for .pkpass files (wallet) for Email+? Configured a whitelist for wallet within the container policy and appconnect policy, but still no option for wallet. Any ideas?
Got it, no support yet: https://community.mobileiron.com/docs/DOC-6259
Interesting use case for you guys regarding GDPR compliance on iOS: we all know that it is possible to disable the contact sync within iOS Email+. BUT: I have a couple of smart users who started to bulk sync the business Outlook contacts with iTunes and then sync them with iTunes back to the device. I am thinking about a way to prevent that, but was not able to find any restrictions for iTunes sync. Of course one could also argue that the next step would be preventing users from creating these contacts manually! I think there is no suitable solution for this. How do you handle this in your company?
Do you allow iCloud and physical connections to other hosts? I guess if they're corp devices I'd block those.
iCloud is disabled, but users are able to connect the device with iTunes on their Windows desktop clients to create backup. Is there a setting in the restriction that prevents the device to physically connect to a host?
Only within the AC2 or also within the restriction on Core? But if you block the connection to hosts, how do you deal with backups?
Core for supervised devices. Would block backups also.
Thanks Jason, I missed this one. Whats the main reason why you would block backups? Backups from non supervised devices erasing the supervised mode? Never had any issues with data loss?
I am not sure how to argue that backups are not allowed because they will be needed at one point, don‘t you think?
AFAIK you can only restore iCloud backups to a DEP device so that setting to me is more about security.
You've got the justification you need as soon as you mention GDPR I guess 😅
Up to you what you do, but that will sort your contact issues even if only used as a punishment for those you find doing it eh!
@here anyone recently dealt with Access and MacOS? Have the device managed, tunnel deployed, etc. I get to the Access URL, Tunnel engages and then the session basically stalls-out. Works perfectly on the same service on iOS.
Just heard from MI. MacOS is not yet certified for this, but they’re working on it.
are you suppressing kernel extension prompts?
Hi @Woody Yes tested but the version that doesn’t do Per-App VPN. It did work with Safari. To have Per-App VPN I think Core 9.7 is required
I’m on 10.0.1. Will do some more testing tonight and see what I can get @NicolasR!
*Thread Reply:* Thanks @Woody, true! how are you?
Anyone have a favorite app that’s compatible with Android Enterprise/Tunnel’s Always on VPN?
Latest MobileIron blog post on Apple Business Manager
Does anyone know if the caller id resolution within iOS will also work for Email+ contacts (sync disabled) with bluetooth devices like car hands-free system - can‘t test it, but I doubt it!
@RobE I can’t see how it would, if the sync and subsequent data wasn’t being offered-up to the OS/Phone app
Yes, I would agree. Although the caller-API is used to have the name resolution work for the phone app without the email+ contacts within the native contacts!
Any idea if that is supported with Email+ for Android Enterprise Work Profile devices? I think the contact sync has to be enabled though!
In my early demos, I think that worked @RobE. I might have a video on it
Oh cool, If you find it let me know! 😊👊:skintone2:
Here’s what I had with Email+ in AE back from 4/2017
@Woody uploaded a file: Screenshot_20170425-134428.png
@Woody uploaded a file: Screenshot_20170425-134503.png
@Woody uploaded a file: Screenshot_20170425-142126.png
That was on a device that was fresh and had no native/personal contacts established
Cool, thanks! So if you are connected via bluetooth, the device is able to grab the contacts for resolution, right?
Hiiiiii
There's an outstanding bug that prevents contacts from showing up on Bluetooth car kits. It's an Android issue going on a long time now. Doesn't matter where contacts are (app wise), they can't get out of the work profile.
Oh thats too bad! Thanks @Jason Bayton any progress in sight? 😂
If you want to test it, replicate it and grab logs, every little helps towards a solution!
It does look like I swooped in last minute to piss on Rob's chips tbh 😂
Better to have the pissing in a back channel than on-site with a customer testing it out
I will pull some logs and drop them off at Google HQ in person! Might need some backup! 👌😀
@Jason Bayton is correct. Does not work unfortunately, but was designed to work that way. Google is aware of the issue and noted to me that it should have been fixed in Nougat but even after that fix reports of the issue continued to be sent to Google. As far as I know this is still an outstanding issue.
See you there! I camp out front regularly 😋
Mark last I asked they are looking for more logs. I'm going to see if I can replicate on the new motor but every bit helps!
Will ask Antonio if they need any logs and info from me. I am able to reproduce it pretty easily with my devices and car.
I don't think Antonio is clued in on it. Ping Kevin if you know him, or I can collect them from you
How can MI do a auto enrollment. Turn on the device and have it auto setup as a user
Sanity check please - - when distributing VPP apps, do you set BOTH the VPP label and the normal label, or remove the normal label and only use the VPP label?
Thank you, I'd been arguing this over a P1 earlier today!
If you push both label types, there's no guarantee the user won't be prompted for an iTunes account
Correct. It does not have a mechanism to choose one above the other. But the documentation is very clear:
You must apply a VPP app to a VPP label. Licenses can be used only by devices that are applied to a VPP label. Devices that are only applied to non-VPP labels cannot redeem a VPP license. These devices are redirected to the Apple App Store to purchase the app.
Well see that isn't super clear. Because that doesn't state authoritatively that you only use the VPP label and remove the "normal" app dist label
sorry; indeed not very clear. It’s clear that you have to apply the VPP label. Not clear: you need to remove the default (app level) label
Have the same experience: it you apply both, you sometimes get prompted to “buy” the app yourself in the appstore (or comparable AppStore screens if the App is actually free).
yes, good, thank you. I'm glad I've got that confirmed once and for all.
I’ll agree on this, that was clear as mud. For the longest time I added both labels and it just never made sense as to “why”
That's not comforting coming from a former mi guy
I actually came into it not using both, then read the document advocating to check both… then found it was annoying and reverted back to the former behavior.
Does supervision make any difference to this? I know VPP doesn't require supervision, but there's no way the two labels would be required when devices aren't supervised.. right?
I can’t see how it would. However, it’s Friday AM and I’m running on 4 hours of sleep
I do believe at some point with some Core version you had to use both labels otherwise app distribution was intermittent. I think Core 9.1 or 9.0 or so, but was soon fixed. Maybe that sparked the ‘controversy’ and made it unclear
*Thread Reply:* Good to know, it seems the bug was never fixed…
How do you guys handle the classic ActiveSync publishing topic - it should only be possible to use ActiveSync through MobileIron, but a lot of customers still publish ActiveSync through Exchange. Lets drop a couple of possible solutions: a.) IP restriction on Exchange IIS so that only Sentry is allowed, but you have to move the ActiveSync directory out of the default website, otherwise Webmail access would fail. b.) ADFS Claim Rules?? c.) Rules on a load balancer?? d.) Re-Configure the Virtual Directory for ActiveSync?? c.) KCD for ActiveSync only, no basic auth possible so users will need to be enrolled in MobileIron to get a user certificate ..How do you guys solve this?
Depends on the customer and requirements. Most of our customers do not publish ActiveSync or better yet, OWA, anyway. So by default already, The Sentry is the only option. If OWA is available publicly, we typically advise to put either an IP block on IIS or if available some smarter solution with the firewall or Loadbalancer to block the /Microsoft-server-ActiveSync virtual dir.
But we seen a lot worse: where ActiveSync even after years of MDM usage, is still available publicly... with hundreds or thousands of directly connecting devices. But at least, it is a known risk and liability as we warned them. Indecision, low level of security awareness, power to enforce it, or not wanting to bother end-users are typically to blame. Sometimes though direct ActiveSync is for BYOD and MDM access only for corporate devices.
ADFS is not always an option because not available. Certificate auth. neither. But all are good solutions. I do not think one is necessarily better than the other.
Does MI not have powershell abilities to block off access to devices which aren't enrolled?
Yes, with the Integrated Sentry. The default is a standalone Sentry, which is like a reverse proxy and is part of the ActiveSync communication flow.
Main setback of that solution, imho, is the fact it takes some time before the device is blocked on the exchange level (sync time delay between Sentry and Exchange) and the user already received some mail. Or you need to block all users by default and then wait for the power shell command to kick in and allow the device. The latter creates a delay in initially receiving mail.
*Thread Reply:* But if the users connect directly to the Exchange server FQDN why would that matter?
Normally unless you need any of the extra functions of the sentry I'd just go with the flow and use powershell.
Can't comment on MI in powershell config (only deployed it with full sentry) but Airwatch in that config releases the mailbox block within 90 seconds or so.
Default activesync rule to block all, and use powershell to release it
Especially with office 365, I don't see any real issues unless you need the attachment removal etc
Because the Standalone Sentry can be used for (app)tunneling also, it’s for us the default option. Not sure right now, but previously you could not change the sync time on the integrated Sentry and it was set to 15 minutes or so. With Office365 you might not even need a Sentry at all, for example with client cert auth.
Yes app tunnelling i get, good use case.
Any of you guys use Access for On-Premise applications?
The On-Premise application needs to support SAML before hand e.g must be integrated for example with ADFS before Access comes into play, right?
I migrated it from Okta to Okta via Access, but no reason you can't do it all in one go on a vanilla install. It's a good idea to test it works with the IDP before switching to Access though, easier to troubleshoot setup issues ;)
Ok what I know so far is that ADFS is in place, but no On-Premise application uses it. Therefore the plan should be to publish the internal webiste via WAP to use ADFS before talking about Access SSO! 😊
hey @here who is responsible of publishing the AppConfig XML to the appconfig community server?
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>MDM</key> <string>MOBILEIRON</string> <key>DEVICEUDID</key> <string>$DEVICEUDID$</string> <key>EMAIL</key> <string>$EMAIL$</string> <key>GLOBALENROLLMENTCODE</key> <string>REPLACE THIS WITH YOUR GLOBAL ENROLLMENT CODE</string> </dict> </plist>
@Russell Mohr was able to find someone within MI to publish the Outlook Specfile I created. The file you posted is the iOS managed app config plist. This needs to be translated into an AppConfig XML specfile (containing types, possible values, constraints, field descriptions and maybe also localized strings) first before it can be published.
*Thread Reply:* I want to push it configured
*Thread Reply:* But it doesn’t support app Config, iirc.
*Thread Reply:* If you want to set the server endpoint automatically, I’m pretty sure GroundControl can set it via a one to many backup/restore.
*Thread Reply:* nvm just read the message before that
*Thread Reply:* I’d imagine they have to install appconfig at some point.
Regarding Exchange config on Core - I have checked only Calendar in the Exchange config since I only want Calendar sync to be enabled for a specific mailbox on the device, but that setting does not have an effect on iOS Mail - Mail, Tasks, and Contacts are also enabled! Any idea why?
There is no option in the Exchange configuration profile to specify which ActiveSync feature should be enabled or not. The option is still on the Core Exchange config, as I believe it could optionally be configured for some other platform, like older Windows Mobile devices.
Had a feeling this was for Windows legacy tombstones! 😊 thanks!
Can MI turn on airplane mode and enable wifi only on a phone?
*Thread Reply:* I’m not aware that any MDM that has that capability. What platform are you looking at?
@channel Does anyone know if it is possible to disable access the Apps@Work on iOS and Android? We have a use case were all we want to do is limit camera functionality (no MAM, no Email, etc.). I'm not sure if that is possible.
For Android is a bit tricky, in Android Enterprise it should be possible via device owner mode
@NicolasR unfortunately we haven't deployed AE yet. This is were additional features around device space would be most helpful. To be able to setup a device space and have a check box to allow MAM functionality for that space would be AWESOME!
@macbentosh yes. On prem. We only want to lock down the camera and that is it. No application management or app hosting, no email, etc.
remove the iOS label from system-ios enterprise appstore
Yeah. We are looking at that but unfortunately, as Nicolas mentioned, Android is the main issue. 😔
Android is rubbish anyway. Migrate everyone to iOS.
😂
I haven't seen the capability to remove A@W from Android, it has sat empty on a lot of legacy devices in the past!
@onires53 Can you expand on the use-case? I am not sure what you are trying to achieve, maybe there is another way.
The Apps@Work functionality is built into the Mobile@Work app. How about just not applying any labels that are associated with these devices/users to your Android apps - then Apps@Work is empty for these devices/users?
We have the need to block camera access in order to allow some employees the security approval to bring their BYO devices into classified areas. That is all we want to do and it would be indefinitely, unless they decided not to bring the device to work. So with that said, we don't want email or MAM functionality just Android lockdown and iOS restriction for camera disablement. @Barrie Codona that was the other idea. I think we are just going to have go down that road (ie remove the apps from their labels).
Technically however, it should only be required to apply VPP, and not the app label.
As always Nomasis share great tools! https://download.nomasis.ch/produkte/MobileIron/JSON-Android-Enterprise/
Guys, did anyone try to publish Core and AppTunnel Sentry with one IP address via Microsoft ADFS Web Application Proxy? It seems that the proxy is throwing away the user certificates for AppTunnel authentication so the SSL handshake fails and I can‘t find a fix for that. Any ideas?
Not possible by design of client cert authentication
To route the requests a reverse proxy needs to decrypt and therefore brake the SSL session
This is why Client Cert auth is Secure: MITM is not possible ;-)
(Unless you have the private key to reencrypt... but of course you don’t usually have this at a reverse proxy level)
*Thread Reply:* F5 offers such TLS MITM when using RSA ciphers. But it does not work with PFS (DHE, ECDHE, etc.).
Thanks for your input @NicolasR . That is not so good news. Since I currently have only one externa IP address for all MobileIron services, I thought with SNI that this would be possible with the WAP. Any other ideas to solve this with only one IP? I am assuming the same issue would persist with the use of a load balancer like KEMP.
@Alex Chappuis has joined the channel
I push Core, App Sentry (Tunnel) and Email Sentry through one IP via HAProxy on my lab. HAProxy routes based on SNI, and I’ve had zero problems to date.. but it’s not Microsoft @RobE.
@Matthias Eberle has joined the channel
Great tip as usual @Jason Bayton 🙏👍:skintone2: no worries, I am not married to Microsoft anyway! 😂 I will give it a try, thanks!
@RobE I mirrored the same config @Jason Bayton has going and I can confirm that the HAProxy works using a singular public IP
Very cool, thanks @Woody ! The weekend is secured! 😊
I lied a little bit. I don't run a core through it
That’s b/coz a single Core can manage 100k… I figure @Jason Bayton has in the ballpark of 300k devices… so the math checks out
*Thread Reply:* I dock them next to my bed to charge every night (1 alarm is never enough)
*Thread Reply:* That’s right! I recall your bedroom was filmed for a Russian TV programme recently: https://youtu.be/NXvzhYnlTU0
I keep two on hand for when MobileIron release an update and take a core down 😋
I have a lab prod, lab beta and a core I give access to developers testing their AE managed config compatible apps, and other reasons
Could you point me towards a useful an rather easy documentation for the setup of the HAproxy. There is a lot of documentation on this and I am not really to familiar with setting that up on Linux nor do I want to spend too much time on this! 😊🙏 thanks
Hey guys, do you know if it is possible to pre-configure Skype For Business on iOS with the Managed App Config (plist) ? I am not sure if the app supports it - Outlook shows the option in the App Catalog to use a plist, SfB doesn’t.
As far as I know it's not possible 😕
(we did some Pointsharp integration with SFB and could only configure the Pointsharp login app, but not Skype!)
Would love this abilty... as skype configuration is a constant issue for us. Not found an answer yet though.
*Thread Reply:* We talked about Skype For Business, do you know if it is possible for Microsoft Sharepoint for iOS. I can‘t find any infos which app supports it in technet!
Another one: how do you deal with lost private key for SSL cert renewal? I would suggest keep it in a safe place in the first place. But other than that, create a new CSR from Core and Sentry? Create a new key with openssl?
Create a new CSR either from the Core or with OpenSSL (that does not matter), make sure to safely store the private key. I typically use OpenSSL as it allows for further customisation of the CSR, with the Core you are limited to what MobileIron offers by default (for example, algorithms, no option to specify SAN names, etc.) If you have lost the private key, you can typically get a new cert with a new CSR without any costs. Just ask your Certificate auth.
Thanks @Mark Vonk 🙏 costs are clear, rather the thought that since the old cert has a different private key that the upload of a new private key would fail. But this is also clear now! 🙏
IC what u mean now. It does not matter: the Core doesn’t do anything with the private key; it doesn’t store it with the CSR. That’s why you need to supply the private key again once you upload the new certificate. You can “renew” (change) the certificate on the Core or Sentry with a certificate with a different private key. This doesn’t cause any issues.
Big issue
had a user send and insatll request to all devices for an app need to know how to prove it in the logs and stop the installs from going to our devices
Hmm. So the user went in and requested the same app for a bunch of his devices. From the App Storefront?
NO user went in a sent an installation request to all devices and not just a label
what would a send installation request look like in a show tech
Couldn't tell you offhand, though if you turn on trace logs, bring up the mifs live logs and do a test push to a device you'll get your answer.
Wait. How did a user go in and send an install request for devices other than their own? Or did they end up with Admin rights?
SATIRICAL POST ALERT...
I feel like this could be a good story... what happened in the end?? Someone screw up??
"Disgruntled former admin installs Grindr to 100,000 employee phone the day he were fired".
Our org is bifurcated with me running the back end and another user deploying devices. didnt read the KB and pushed an app to 2300 phones
tell my manager that I did it to sabotage them cause I want their job.
logs dont show John doe sent and install request
Grindr @Simon Hardy-Bistagne. I got a good snicker out of that
There has to be a way of pulling which account deployed the app... certainly on airwatch it’s logged for audits and troubleshooting...
Yeah - I’m gonna try to pop into my Core and see what’s there. I know they really put a lot more focus on the auditing in the past several major releases
Yeah the push app notification command should be visible in the audit logs. Also who logged on and performed the command. Not sure what the actual command (name, description) is that MobileIron logs. But you can do the same (one device and I would opt for some other app than Grindr) and check the audit logs to see what is logged. You can view the audit log from the Core admin console, no need for ShowTech logs for that.
it says nothing about the sending of the notification
Odd, yeah.. I’m not seeing anything regarding “who” initiated the request
Nothing in the specific end device/user logs rather than platform audit?
@Wolfgang Bauer has joined the channel
Indeed not seeing any of it either in the audit logs. I would suggest to pull a ShowTech with sanitized database from the Core and raise a case with MobileIron support. Give them a date/time roughly and they should be able to find it.
@macbentosh did you updated your core recently? All apps that are marked as “send install request upon registration” are pushed again when upgrading to Core 9.7 or 10.0
what does send installation request appear as in the logs?
@RobE Doing a key rollover as part of the renewal is kind of best practice - Even if the key stays the same, don't forget about AppTunnel certificate pinning 🙂
@macbentosh Haven't checked whether you can see the initial "Send Message" command in the audit log. However, if you created a showtech afterwords it contains the https-access.log files for the upfront Apache. This will give you (assuming you can identify the according request URL) the requesters source IP. If you correlate the admin MIFS login events, which definetly are inside the audit log, you can correlate them also to the https-access.log, where you find the source IP. If you and the other guy are not behind an overload NAT, you'll have some evidence who did it and when 🙂
I mean... something like 1.2.3.4:34777 got NATted to 5.6.7.8:57333
No, that's referring to the NAT which you might have in between when accessing Core
I would probably be more interested in sleeping. It's going towards 1 AM 🙂 But some minutes are ok
Folks what options do I have for running Core in cloud infra? I don't know of any public images for AWS, Google Cloud or Azure, though I'm speaking to folks who want the features in Core without it being onprem. Suggestions?
Didn't thwy launch the MobileIron cloud solution a while back? Or is my knowledge dodgy there??
We offer a private cloud version, but other than the old Connected Cloud version, you’ll be struggling, I believe. (Unless they fancy biting the bullet and going full MobileIron Cloud)
Azure has MobileIron on their marketplace... Not sure just what it includes though.
Core is so much better than Cloud, otherwise that would be an easy push. just need to fathom a way of getting it running somewhere.
Don’t disagree with any of that. Happy to offer our infra if it helps?
Thanks for offering! I think if it comes to it could host it in the company DC, but try to avoid that generally. AWS or so would be ideal.
Depends on connectivity needs too, I guess. Shout if they need N3 (NHS), HSCN (Local govt, NHS), and/or PSN (central and local govt).
So far that hasn't been a concern, but I'm sure it's a matter of time..
As an aside, Core 10 is not playing nicely with KVM
Deutsche Telekom has a huge MobileIron private cloud, where you can easily get your own hosted Core + Sentry + Sentry + ..., so you can focus on the application, not caring about operation. They also have plenty certifications, so that shouldn't be an issue. - There also are similary offerings by other carriers and MobileIron partners. Currently MobileIron only supports Sentrys/Connector for deployment in Azure.
Yes, Vodafone has something similar hosted out of Germany, however as someone who's looked under that specific skirt, I wouldn't advise ever going for anything hosted by a carrier.
I think Deutsche Telekom is ok, as we do the hosting for them 😉
We will deploy Core in AWS with the help of professional services for “official support”
Please raise the problem to MobileIron product team, they don’t want to spend money to support Core in AWS/Azure because they have cloud...
If we are many to ask this, they will officially support it
My customer’s use case: 20K devices + 20 more if everything goes well
What specific Core features are your customers asking for @NicolasR and @Jason Bayton ? I have a customer running Core and Sentry on a vSphere environment hosted by VMWare, so basically IaaS.
And I get the business requirement in that case. But Cloud these days is pretty much on par with Core. Any specifics missing for these customers?
I’ve gone the KVM route and that opens the doors to many options, so no longer such an issue 🙂 Cloud is less intuitive, has weird restrictions on admin password policies, user expiry, can’t support COPE, many deployments I’ve gone to click some little tickbox for something in Core which isn’t in Cloud, it’s always a pain. I can’t be specific as I don’t keep track, it’s just exhausting. Guys in MI I speak with echo the sentiment but can’t seemingly do much about it.
Cloud is public cloud where you don’t really know what is done on it (who can access the DB, the keys,...) you don’t control versions and QA cycle, you don’t have the same level of logging + SPLUNK integration.
The customer have highly critical business use cases to address
And also MI Cloud have MUCH LESS partners that integrate it...
(In that case a deployment of Lookout, which is not compatible with Cloud)
And not to mention the ludicrous use of different APIs and even different results from the same type of API calls…
Exclude can be done by what you have written, something like “user.display_name” != “mbl” Or on device ID, if device is already registered.
Also @Mark Vonk looking at your vm post. Tomorrow I have to move my core from an amd to an intel host. Any issues?
what is a variable represented as in the MI search
@macbentosh I am not really understanding your questions regarding the labels. As for VMWare; in principle this should not be an issue. The underlying hardware is of no impact as the Core is seeing virtualized hardware, not the actual hardware.
we have shared devices that are part of a service account OU. I want a label that excludes anything that starts with mbl or svc
*Thread Reply:* You can use “does not contain” search criteria if you want
*Thread Reply:* Is suggested to do something like: “common.userid” does not contain “svc” I’m not exactly sure about the search criteria but does not contain works
*Thread Reply:* there is not does not contain it’s does not =
*Thread Reply:* Just write it in the criteria ;-) You’ll see it works!
@macbentosh afaik there is no way to define "does not start with" option, but the easy way would be a group inside the OU and add all the users to that group and use the ldap group in the filter: "user.ldap.groups.name" = "Test users"
non recommended option is to list all users that you want to exclude with: "user.userid" != "svctestuser"
.can you create an exception group base on an ldap custom query based on a wildcard?
Eg a new ldap group based on upn=mbl**
Indeed, best way is to add to users to a group and then exclude the group
Negative operators do have an effect on the performance. So better would be find some ldap attribute that normal users have and the shared device users do not have. And make sure the labels for the configs that the regular users need to get, include the ldap attribute. In that way, the configs are only pushed to the regular users and not the shared device users without using a negative operator in the label query. Best way would be to use groups (most visible and easy to automate) for this. But you can also use ldap attributes and bind these to Custom1, etc.
Also don't forget to get any LDAP attributes you sync to be indexed by the ad team as otherwise you could be there a while!
how can I target a group of signed out devices and give them a special wallpaper?
On your Core server, navigate to 'Settings > Users & Devices > Custom Attributes', create a new 'Custom Device Attribute' that can be used to group all of your devices in your 'group' - like 'Business Unit'. Next, navigate to 'Devices & Users > Devices', select all of your devices that are part of this group and click on 'Actions > Set Custom Attribute'. Select your new device attribute from the list and set a value for this 'group', for example 'HR'. Now click on your 'Advanced Search' button and create a multiple rule filter. First rule based on the Custom Attribute setting and the second rule based on the 'non-compliance Reason' value of 'User Logged out'. You should then end up with something that looks like: "custom.device.BusinessUnit" = "HR" AND "common.noncompliancereasons" = "LOGGEDOUT" Save this to a label. Lastly, apply this label to your Wallpaper Policy.
@here Anyone else having a hell of a time with Core 10 in general? We delayed and waited for Core 10.0.0.2 in hopes that it would fix all the issues with 10 as the release notes indicated but after updating our QA environment it hasn't fixed any of it from our testing. Now we are stuck with iOS devices being unusable in that environment. Luckily we are still on Core 9.6 in prod.
*Thread Reply:* In my lab things are ticking along ok, though the known issue around connector and ios don't affect me. In prod we run n-1 and most customers aren't even up to 9.7 as yet. Bring on 10.0.1.0..
*Thread Reply:* I'm hoping 10.0.1 does fix the issues we are seeing. The only Android issues we have right now are around the Mobile@Work client reporting all apps on the device be uninstalled and then reinstalled (this causes havoc with required app compliancy rules) and lack of Android 9.0 in-house app support with our 9.6 environment
Anyone familiar with this message for Docs@Work AppConnect? This is the first time I have seen this. Since when are the Google Play services relevant for AppConnect apps?
Yes, standard affair for distributing in-house apps via Play. However you don't want to be doing that with D@W. There's a Play version already available which also supports managed config
So this is a general message? I agree with you that this makes absolutely no sence and is also not what I am doing. This is D@W ACe for Android "native", so only for Android native devices which makes no sense to deploy that via Google Play. Android Enterprise devices receive D@W from Google Play services like you described.
Anyone here using Core+Sentry to manage devices connecting to Google Apps? If so, do you see an issue with the native iOS mail having duplicate mails in the Sent Items also?
As-in proxying EAS through a Sentry to GMail @Mark Vonk?
Yes indeed, Sentry is MitM in this case. I doubt it’s the Sentry though. Probably some weird Gmail ActiveSync(-like) issue
Ah, okay @Mark Vonk. I haven’t gone through that arrangement in forever, but if I had to guess I would say it is something to do with the EAS implementation on GMail’s side
Can anyone shoot me a screenshot of their android wifi config for a wpa2 enterprise setup?
@Barrie Codona IOU a cool one my dude!
@Barrie Codona’s response times are insane. Mad kudos to you!
@here anyone know if there are plans for Core to support SAML for device enrollment in the somewhat near future?
you mean in-client? you could do workaround by SAML for user portal and PIN-only registration, so user can generate that themselves
@Miklos Kerekfy I mean, if I browse to core.domain.com/go, enroll a device using SAML with an IdP as we do for the User and Admin Portal.
I appreciate the work-around, but client is interested in the same functionality for enrollment that’s available for the other two portals
fair enough request, I had similar from client before (meaning 3 years ago when SAML was introduced at Core)
Be careful, I saw that with AW. SAML enrollment doesn't work with DEP
Have you guys seen this doc MI just published? I reached out to support and didn't get much info
I have seen the message and already asked for more clarification.
where is the option for iOS update deferment in MI Core?
*Thread Reply:* This is within the iOS Restriction Configuration.
*Thread Reply:* what version of core are you on?
*Thread Reply:* This screenshot is from Core 10.0.0.2
*Thread Reply:* @macbentosh time to find out. Taking a snap and upgrading
*Thread Reply:* I’m on 10.0.0.2 with no issue, though 100% Android Enterprise and no LDAP so.. I really probably shouldn’t even add a voice tbh 😄
*Thread Reply:* Take in mind the die adminportal can only can be used by using the FQDN in Core 10 (not ip oder another dns record). Beside that, its a 70/30 thing. Most times it runs smooth. On other installations nothing works after update (Core does not boot, DEP broken,...)
But be careful to use the snapshot: if you have issues with iOS devices checking in, do not use the snapshot: it will break even more stuff. There are numerous issues I have seen. Typically I would advise to wait for 10.1 or so currently.
docs@Work config is pending and user is getting a retired: User logged out error… Ideas?
Anyone know what the runmonitorscr on an MI Sentry is? we had some UCS issues this morning and our Sentry's are running really hot on CPU
Figured I'd ask here real quick before waiting for support
Sorry @Kiran Patel, haven’t come up across that process
jsut finished opening up the case and now calling them
turned out to be a cleanup script that couldn't run as the file system was in RO mode due to VM issues
*Thread Reply:* Thx for the update @Kiran Patel. So, technically not related to Sentry itself… but the VM environment that it lives in. Right?
*Thread Reply:* yup but technically if the VM appliance puts itself into RO mode a script running on it shouldn't be able to consume all resources
*Thread Reply:* Should be a pre-flight check on the script side
Guys are any of you running Core 10.0.0.2 + with AE work-managed devices? If so, are you seeing location reported against those devices?
Known issue with Core 10.x and DEP registration on iOS : https://community.mobileiron.com/docs/DOC-8402
@Jason Bayton Not tried yet, but I would not hesitate to let you know once we have tested the use case.
Not yet @Jason Bayton but I will be looking for it and let you know
@Jason Bayton no issue here with Core 10.0.0.2 and a work managed device. Location is correct
Hmm. Replicated on 3 Cores so far @Mark Vonk. Gives me the 72 hours error and that's all she wrote. GPS if available is set and GPS isn't restricted
Weird... I just registered the device and was able to locate it. Were your devices already registered?
Registered on 0.2 or before. Noticed it on 0.2 and will try to replicate on 0.3 in a bit
Sorry, .... Someone got his Android Enterprise terminology confused... Just enrolled a Work Managed Android Enterprise device. I can't locate it now either.
Not good 🙂 Have you noticed it on other MDM or previous Core versions?
Good that I’m not actively misconfiguring servers. I’ve only seen it from 10.0.0.2 but wasn’t really checking before
Re-enrolled a pixel in 10.0.0.3 and it’s reporting… hmm
Updated to 10.0.0.3 and with or without a re-enroll, still not working for me.
Enrolled again, work managed with a work profile, still the same issue. Enabled location (even using WiFi, etc). No lockdown policies in effect. Same device, but then BYOD with a work profile, reports location just fine.
Drained the battery, so time to retire this testing for now.
Thanks for testing Mark. I’ve enrolled three more devices and only the Pixel is reporting
Sounds like the ideal time to standardise on the pixel across the board then...
Weird stuff. Not sure if it's MobileIron, AE, or a device specific issue now... Have had some notable other issues with AE on Samsung devices, so I would not rule that out as a source of issues.
Anyone worked with Zebra ET50 or ET55 devices with MobileIron ?
what version of core allows me to defer the iOS update?
All of them. Use this config profile: http://static.groundctl.com/assets/Defer_Software_Updates_90_Days.mobileconfig
I would like to have the native option in core
Of course. But then Core would simply send the same profile.
how would that conflict with the restrictions policy I have going to those devices now? What takes lead?
what I’m wondering is if i can get what I need by going to 9.7.0.2 vs 10
Whatever is more restrictive wins. 90 days beats 60.
I was talking about other settings i.e. facetime
The profile above will not affect any other setting.
@macbentosh The native option is in Core 10.
@Barrie Codona what issues am I looking at in 10.0.0.3
It would really depend on what features you are using. The best place to start reading is here: https://community.mobileiron.com/community/micore/known-issues
I'd also advise reading the Release Notes for this version of Core: https://community.mobileiron.com/docs/DOC-8463
Also, since you are not already on Core 10, then prior to upgrading to Core 10, follow the steps outlined in this guide: https://community.mobileiron.com/docs/DOC-7886
How could you test this Procedure Please ensure that prior to upgrading, the following outbound TCP ports are open and the hosts are reachable: Host Port api.push.apple.com 443 feedback.push.apple.com* 2196 *Carryover from APNSv1
This will be an outbound firewall rule that need to be updated on your perimeter firewall. You will be able to test it using the built in services diagnostic check in the Core server. Navigate to 'Services> Overview' and click on the 'Verify' button to the right of the APNS service. You could also try testing this from the CLI of the Core server using the telnet command:
Excellent. Take a backup of your Core server and then upgrade!
I would export a local backup via the System Manager.
WARNING::+15592 (mbl_CRMC8WSup) iOS device MDM deactivated
Are your devices checking-in to your Core server?
How to you guys deal with domain name changes for Core and Sentry. Still fresh installs?
I rebuilt mine yep, the CAs retain the URL of the old name
..and the enrolled devices? Core system backup won‘t help due to the old CAs, right? I am thinking there is no migration of the devices possible
Indeed. I'm sure there's a means for fixing it via DB or so but I don't know what it is. @Mark Vonk / @Jason
There probably is a solution... tried it once for a test but gave up fixing it. There is no help from Mobileiron. Had to dig through the DB and fix the domain name, but also many properties files, etc. in the end, while it seemed all ok, I gave up as I could not get the devices to check in.
If not needed do not change the domain name for the Core. If needed, just build a new one. Best advice I can give...
Seems fair, I can rebuild because it's my lab. A second core and migration sounds reasonable where it matters
Why not build the second server put it in HA and perform the sync?
Indeed, does not solve the issue with the CAs. Basically HA will copy all the important stuff from the Primary to the Secondary. It does not change anything with regard to domain name changes.
When a DEP enrolled device restores a backup how do you tell what device to retire?
All newly enrolled devices are not getting an Activation Lock Bypass Code
Known issue to be fixed in Core 10.1
Pretty sure this question was dropped before: Exchange Online: deployment with or without Standalone Sentry? (Core On-Premise) If yes, why not deploy Sentry in Azure or AWS?
Assuming it needs to be secure: with a standalone Sentry. Either the current, if exists, or a new one. Does not really make a difference where it is running, on-premises or in the cloud. If it’s Core, I assume a Sentry on-premises is not an issue.
Otherwise an integrated Sentry? Work also with Exchange online.
Alternative is no Sentry and do CBA for Exchange Online.
Did someone tested the following: Deploying MI Access with iOS 12 OAuth Exchange Online profile?
Exchange Online as-in O365? Or is that still somewhat of a separate hosted service?
Are there any limitations for Zebra devices? Zebras seems to have problems with Wifi config deployments (cert based auth). Currently DA enrolment. Wifi config is partially applied - and also: is there no PlayStore on Zebra devices? Looks like they have been shipped without Google Services installed.
Can't speak for mobile iron but there is a specific Airwatch client for zebra devices you manually install outside of the Google play store.
Thanks Simon. Ah ok, I can recall that I have read about something similar for Zebra devices on the MI community. Let’s have a look again..
So StageNow is the magic word? https://community.mobileiron.com/docs/DOC-5328
:zebra_face: zebra devices are shipped with or without Google Mobile Services! You need to ask zebra to provide the right Firmware
Guys I am looking for a setting within MobileIron, but can‘t find it. We had an issue where Core was not reachable. For ActiveSync devices which have not been registered we found this entry in the Sentry log: „Since EMM server is not reachable - applying DEFAULT update for device xxxxxx“ - followed by „Applying default policy ALLOW for device xxxx“ - result was unregistered devices are able to sync mails. Where is that setting? Auto Block Unregistered Devices is turned on within the Core Admin Portal, so that is not that one referenced in the log
Thanks Spurti, I am familiar with this. But which setting do you refer to?
I believe when Core is down and Sentry can‘t talk to Core the DEFAULT actions is ALLOW. But where can this be changed? It is not the auto block option you refer to
*Thread Reply:* My bad, It can be changed. I do see that you got your response 😊
It looks like this behavior cannot be changed! 😊👍:skintone2:
Son of a mother, there she is! Saved my day @Barrie Codona. thanks! 🙏
Forgot about that option - Good one @Barrie Codona
Got another one: Inhouse app for iOS version 1.0 silent deployed via Core and installed on the devices. Version 1.1 uploaded into the AppCatalog, applied to the same label as Version 1.0 for silent deployment. That doesn’t work - app remains version 1.0. Does the update only work when its not deployed for silent installation?
Are both CFBundleVersion and CFBundleShortVersion updated to 1.1 or increased?
Hey guys, migration of Core - enable HA feature for syncing everything to the new Core and then use the new Core as primary, and finally disable HA feature? Any known issues I might run into?
How would that compare in time & effort vs taking a backup and restoring to a fresh core without system settings?
A little more time as you have to enable HA. But the HA sync is almost the same as a backup/restore
You would also need to engage with a qualified MI Partner or Professional Services to enable HA on both Core servers. Might be easier to use Jason's suggestion.
Both are viable options. Used both before and work fine. Some details are listed here: https://community.mobileiron.com/docs/DOC-2179. For customers using HA already, the HA route might be best. For others, simple backup/restore is probably easier
anyone experiencing this: https://community.mobileiron.com/docs/DOC-8392 getting this on a regular basis, only using SCEP for Core local CA
really weird issue. Iported and app and it shows in the core catalog and it scoped to a user label but does not show on the devices
Maybe the apps are « iPad only » apps or the minimum required version is not meet
I concur w/ @NicolasR - If it’s not being presented, there’s something at a higher level preventing it.
and were in the middle of contract renewal so support line hangs up on me
So, it doesn’t even make it to a point of queueing to deliver to the device (in the MDM logs). Right?
Device/App are bound to the label in question. Yeah?
anyone experiencing this: https://community.mobileiron.com/thread/4718
has anybody experiences with Work Schedule policy? does it work? this there something to mention since the device is out of compliance in that time? How does it work if the device is in another timezone than the configured one?
Hi Wolfgang, never tried it. I guess that the timezone is relevant to the Sentry/Core NTP settings - so you might have to manage different policies based on the user timezone and check the delta with the server's timezone!
Does anyone use MI cloud? Is is disastrously slow in pushing down configs and apps for you too?
yes eu1. initial enrolments for ae devices seem to go ok, but after a wipe and re-enrol it’s taking +20 minutes to get the managed google play account provisioned on the device. A further 10 for passcode config.. still no apps pushed an hour later
hey all I see a way to set Default Device Name Configuration in cloud. Has that made it to core?
@Mark Vonk known issue in cloud apparently. MI are manually deleting the offending left-over device IDs that are clashing with the re-enrol from the DB. Messy.
I had similar issues with MI CLOUD few weeks ago. The issue seams to be more on the link between MI & Google.
Won't be fixed today. They clarified they can't edit the dB on cloud so I'm waiting for their solution 🙄
Is there a good site to find Microsoft iOS App plist files pre-built or do we need to build these manually?
Hi @here anyone have configured Google API connection with CORE/CLOUD?
the question is: Is it possible to import users Google identity?
If I have a user located ONLY in Google G-suite and NOT in Active Directory?
Hi Nicolas, as far as I know this Google API connection for identity is used to set the Google Password (we are using this OnPrem for a large customer)
(in this case the users don't know their google Password, only MobileIron does it. I don't know if there is some other usage of this APIs...
but I wonder if CORE/CLOUD can import user identity based on that
On Cloud there is an option that doens't manage user password from MI CLOUD
@Daniël Kraaijeveld has joined the channel
Hi guys, a customer ask me if MI could manage standalone (meaning not connected to smartphone) wearOS devices
do you know if at least Google allows this in WearOS?
I am not sure if Google has opened these API's for EMM control
I’m not aware of a wearos device being able to operate stand alone but I could be wrong
They can run standalone to a degree with a network connection but can't be managed
On a standalone mode are you able to connect a G-Suite account on them?
HI all need a label if anyone can assist. I would like a label that is all users after registered after todays date.
“common.creation_date” >= “now-1d” AND “ios.IsDEPEnrolledDevice” = true
@macbentosh are all devices you want to key off of DEP enabled devices? And to be clear, you want the label to collect devices that where registered the day before?
we are rolling out a wifi change. I want a label with all devices registered after todays date and going forward.
seems that we can not add a specific date for it to follow. With what you have listed for this bit: "common.creationdate" >= "now-1d" will over devices that have been registered in one day or less and on the second day would be dropped off. Using: "common.creationdate" <= "now-1d" will cover devices that have been enrolled for at least one full day. Does not appear that either will meet your use case
I'd personally do it the other way round.
Tag the existing devices manually, assign the old wifi profile to that tag, and then exclude that tag from the new profile applying it to all devices.
The AW equivalent to that yep. Tbh my first thought is stick new users in an additional AD group and base it off that.. but I'll see what I can do with date.
I could apply a custom attrib to all just not sure how that will play in to the performance of core. Any probs dping that to 2500 devices?
Not sure if it can be done easily in mobileiron, but it's something I'd script in airwatch via API as you can't select multiple devces and add to a manual tag, you have to do it one by one.
It would be my prefered way as it's a fire and forget way rather than continually maintaining it.
The old devices should lose the tag as and when they're retired or reactivated making the tag obsolete after a while.
so survey then….Add to manual label or custom attrib.
@Jason Bayton This is a 5 min thing in JAMF for me… What were you thinking
Wrote it above! I'll be on my laptop within the hour
the users that setup our devices dont have ldap access
well I could do a custom attrib for Old wifi = true then create a label for old wifi !=true
Yeah but unless you use assemble it's a very manual process
just 12 pages of select all and assign to attrib right?
(“custom.device.AutoCMCPROD” != 1) AND “common.retired” = false
There has to be a way to specify a date by modifying the advanced search, but the date format is probably wonky
its really odd the label posted shows only 8 devices but added to a config it add 500+
Why doesn’t the former work for you? That should select all devices where AutoCMCPROD isn’t 1
it does in the label view however when applied to a config or a policy it adds 500+ devices
(“custom.device.AutoCMCPROD” = null) AND “ios.IsDEPDevice” = true AND “common.retired” = false
*Thread Reply:* No but do let me know how you get on!!
What projector are you playing with? Not just a case of side loading the agent?
*Thread Reply:* Wait. Android Projector? Interesting!
*Thread Reply:* That’s awesome. I never really figured that would be a market we’d see Android on. There is that open source project though, so I guess it was bound to happen eventually!
*Thread Reply:* Seems to run android 7.1 I don’t see why you couldn’t side load an agent... not sure what control you’d get over it though
*Thread Reply:* Love to see the results though!
*Thread Reply:* I just want to block apps and add wifi
*Thread Reply:* anyone have the latest apk handy
*Thread Reply:* I've enrolled the Xperia Touch and it locks down lovely.
*Thread Reply:* https://support.mobileiron.com/MIClient-latest.apk
*Thread Reply:* Now I need a whole new set of policies
@Jason Bayton are you able to look at my wifi config and tell me why android hates it?
*Thread Reply:* Hmm, and what’s Android not doing with that?
*Thread Reply:* Do you see the certs pushed to the device at least to begin with?
*Thread Reply:* Are the relevant certs assigned to labels?
*Thread Reply:* they dont get applied just told they can trust it.
*Thread Reply:* If in doubt, assign to labels; like Windows Phone, things like SCEP need to be assigned directly to the AE device label(s), so I’d rule that out
@Peter-Marc Krombos has joined the channel
Hi All, I would like to implement O365 with cert-based authentication. Ok for the native app, but what if I want to reduce the user-interaction... with the Outlook app? Is there a way to push config that will not prompt the user for any password?
It does seems like it is feasible here (https://docs.microsoft.com/en-gb/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune) but isn't that limited to Intune? What about MobileIron?
*Thread Reply:* Yes, but it has to route via the MS Authenticator app I believe.
*Thread Reply:* ok, Did not think of this one. Thanks. Will investigate
*Thread Reply:* @JF Rigot so you are wanting to deploy a CBA Exchange Configuration to iOS/Android for ActiveSync and then have a similar experience the Outlook (modern) clients. Correct?
*Thread Reply:* Are you using MobileIron Cloud or Core?
*Thread Reply:* If you’re able to, I would begin considering walling-off ActiveSync. If it needs to stay around, go the CBA route. For Modern, your best bet is to use MobileIron Access and it’s Mobile SSO feature.
Guys, does the host pairing restriction within the restriction on Core prevent access to the storage on the iOS device when connected via USB?
Indeed. If you restrict host pairing, the device does not respond to USB on any other host than the configuration host (if applicable).
It is a Supervised restriction. If you supervise the device using configurator, you can deploy the configurator certificate. In that case, the device can still pair with the configurator host. If supervised using dep or if you do not supply the certificate, the device can’t connect to any host anymore. This includes windows, apple, iTunes, etc.
*Thread Reply:* Thanks Mark for the quick reply. Sounds great! 🤙
@Arjan Vermeulen has joined the channel
@here
@Kory devices check in hourly-- all devices including macOS
Device enrollment with Apple Business Manager is supported
@Kory you are a current MobileIron customer? Check out the macOS Center of Excellence at https://community.mobileiron.com/docs/DOC-5371
I am a current customer, we just signed the contract recently, but I do not have a community login. I was just filing the request
You can request your credential at https://mobileiron.secure.force.com/PortalAccessRequest/
Thank you. Now I just need to locate my account number.
Guys we talked about this in the past - give me some input how you handle the best practises in terms of device backup of an MobileIron enrolled device. Use Case: Private use is allowed on company owned devices. Users are taking backups (iOS=iTunes or iCloud, Android=Smart Switch). I know that you, @Jason Bayton mentioned that you would not allow backups. What would you reccommend? I don’t see a problem when an MobileIron enrolled devices is being restored - should be able to find it’s way back to Core, right? Enable backup data of AppConnect apps like Email+? I think there are a lot of moving parts.
I'm not in favour of enabling backups, no. Not unless it's a BYOD/COPE device anyway.
I don't see any major harm as long as any corporate apps are flagged as managed and backup of those apps is disabled.
OK got it, thanks. Well on BYOD/COPE, is that even possible to restore the data within the work profile/worspace?
Google told us there is no way to grab the data within the workspace
I was referring to personal data only - backup service is disabled by default in the profile and there's nothing to back it up to unless you push a service or managed Google account yourself I guess
I forget my head is normally in the Apple world... Yeah, for Corp dedicated on Android I'd block it... iOS I'm not fussed too much
Not anymore with iOS. There used to be some issues when the backup was restored and how the Mobile@work app responded to that. But if you make sure the iCloud backup does not contain managed app data, everything should be fine.
@Jeroen J.V Lebon (Open for new opportunities) has joined the channel
Again I need to throw this question into the ring: was anybody able to find a car that works with CallKit and iOS Email+ in terms of the caller-id and calling business contacts through the car console? This is the number one question I get from customers all the time and I was not able to find a solution yet!
My Volvo has CarPlay and that works with Email+ and the Callkit feature. If I switch to regular Bluetooth connection between it and the iPhone, it does not display the caller ID. Callkit is for identifying incoming calls only. So it does not work for calling business contacts anyway.
Ah yikes, got it. So when the business contacts are locked within Email+ you are also not able to call them with CarPlay, right? At least on iOS the native mail app could come into play for that since the managed contacts can be secured.
I have seen the option „export to CallKit“ within the iOS Email+ settings, whats that for?
Not able to call them indeed. Only see the caller ID when being called. With iOS 12, you can set the read/write to managed contacts again. That should allow users to export contacts from email+ again to the native contacts app.
😱 Good lord, totally forgot about that. Not really clear to me how I can use it. So if I enable that, I can export the contacts from Email+ into the native contacts app. But where is the difference between the iOS 11.3 feature „allow unmanaged documents access managed documents“..
In iOS 11.3 the contacts app adhered to the concept of managed and unmanaged data. If you use mdm to push an Exchange config, the contacts are managed. If you use Email+ as a managed app, you could not export the contacts (managed because in the managed Email+ app) to the native contacts app (unmanaged)
In iOS 12, you can use MDM to make the following exceptions to this policy:
Allow unmanaged apps to access managed contacts (for example allow WhatsApp to read managed contacts in the native contacts app)
Allow managed apps to save contacts to the local Contacts app (for example allow Email+ to save contacts to the native contacts app)
So depending on what you want, you should set the second (at least for your car issues) and maybe the first if want other apps to use the contacts also.
Tried to upload the config, but does not seem to work from my iPhone.... seems like it’s uploaded as a picture. If you need it, let me know.
This is awesome, thank you so much Mark! 🍺 Sounds good!
No problem. To be honest, I would use those instead of relying on Carkit features. It’s too limited and does not universally work. Most organizations do not require contact information to be securely contained.
Right. Well most of our use cases are WhatsApp is not allowed to use the business contacts and Caller-ID in the car must work! 😊
Ok, you would need the second. MobileIron does not have a restriction setting for it, I believe. So you would need to push a mobileconfig. Create an empty one and add the following:
Perfect, thanks! In addition to the 11.3 feature, right?
In addition? the 11.3 feature is not something you can change. This is only needed if you have/had the restriction "Allow documents from managed apps to unmanaged apps" turned off (de-selected). If you have this checked (so Allowed), contacts export from Email+ should have worked anyway. This restriction has been available for a long time, but did not apply to contacts because the native contacts app did not respect managed vs. unmanaged data/accounts. This became into effect with iOS 11.3.
Ok, right now „allow documents from managed apps to unmanaged apps“ is de-selected with most of our customers, but with this they use Native Mail App - WhatsApp has no access to Exchange, and Caller-ID works as well.
I will test this with Email+ like you mentioned!
Caller ID always works, regardless the restrictions set. As long as your contacts are in the native contacts apps.
With Email+, you are trying to export (write) the contacts (managed) to the native contacts apps (unmanaged). So that flow is: write from managed to unmanaged). Thats different than 3rd party apps (WhatsApp, unmanaged) trying to get read access to the native contacts that are from a MDM managed Exchange account (managed). That flow is: read from unmanaged app (in)to managed contacts
@David Arvidsson has joined the channel
Apparently I am not finding enough time for this Slack 😞 So apologies for responding to a request from a few days ago. But I thought this might be helpful for some...
You can use Epoch/Unix millisecond timestamps in elasticsearch filter criteria. An example:
"common.registration_date" >= 1542240000000
All devices registered since yesterday.
@Tobias Another useful tip with criterias is that you can use the value “null” for a custom attribute. When you create a custom attribute it is instantly attributed to every device. Instead of having a real null value (meaning there is nothing), the value is a string called “null”, so you can use this to create an Custom attribute that is “set” for everyone by default without actually assigning it. Just a cool tip
Particularyl useful when you need to split some conf distribution and LDAP groups is not valid criteria
I don’t know when MobileIron sneaked this one in but Core 10 shows an extra device attribute called Security Patch Level Date. Before we only had Security Patch Level which was not a date field. With the new attribute it is now possible to create labels/compliance rules based on the Android patch level. Either use “android.securitypatchdate” <= “now-30d” to have a label with all devices with a patch level older then 30 day or (f.i.) “android.securitypatchdate” < 1541030400000 to have a label with all devices with a patch < november first 2018.
It’s been there a little while I think, and is a very cool attribute!
@here Any tips with registering the LDAP Connector? The registration fails stating, please check your username and password. I have tried multiple times and I can login to the Cloud tenant with this username and password. Any ideas?
LDAP Connector for MobileIron Core/Cloud or either @Kory?
It’s been a minute, but I recall the syntax having to be just right
@Mark Vonk could you send me that config which works for you? I can export the contacts from Email+, but unmanaged apps like WhatsApp or Signal can still grab the business contacts. “Managed apps write to unmanaged contacts is allowed” - also “Opening documents from managed to unmanaged apps not allowed”..
*Thread Reply:* I have created the payload with the AC2 - these are active:
*Thread Reply:* Oh, in the settings on device I can see that the payload is different: Unmanaged apps read manage contacts allowed - what the hell? It is set to false in the XML.
*Thread Reply:* ok now I have only the one option :
*Thread Reply:* If you can spot the mistake let me know!
*Thread Reply:* I understand now indeed. The contacts that are exported from Email+ to the native contacts, are unmanaged contacts. So any app can read them after they have been exported. Only managed contacts are not shared with unmanaged apps.
*Thread Reply:* Yikes. That means there is no solution for this?
*Thread Reply:* I thought if the contacts came from a managed app they are also managed contacts..
*Thread Reply:* They are unmanaged. One rule is to allow for apps to export contacts to the native contacts app. At that point they are unmanaged. The other rule allows for unmanaged apps to access managed contacts. That only works for managed contacts (ie mdm pushes Exchange configs). I do not see a solution with those two rules for your use case. You have the most options if you use the native apps instead of email+ for this use case.
*Thread Reply:* You are right.. So at the moment for GDPR compliance and car Bluetooth caller id lets stick with the native client.
@Kory Any special characters in the username?
I don't think dash should cause an issue. I know that + in the username does.
Can I verify network connectivity on this VM somehow?
Yes, you should be able to telnet to your MI cloud instance on port 443.
I actually do not have telnet as a command available 😕
The only t command I have available is traceroute
Well, those validate DNS resolution and ICMP connectivity
do I have the tenant admin username wrong? I am using the account I use to login to our cloud tenant and make Administrative changes.
But you need Telnet to validate you can speak to the Tenant on 443
What was the initial Tenant Admin account that was created for your instance of MI Cloud? Go with that
and you say that you are inside the Enable mode. Yeah?
Any special characters in the password? If so the VMware settings might actually have you type a wrong password. Try and type the password in the username field and see if it is actually OK.
Okay that verified as correct when I typed the password in the username field.
I just SSH’d into the VM so I could copy and paste to take the “human” out of the equation of typing the password and it still failed
That’s good. Doesn’t fix the issue, but good to know
Folks does anyone know why https://accounts.google.com/oauth2/token is coming back as failed under services in every core I have access to? Noticed it a while back and it's had no affect on anything, so I'm just curious
*Thread Reply:* Known issue without impact. Fixed in core 10.2
@Woody In case you were curious, I must not have had the required role for my user. I created a new user, promoted them to all roles and I was able to register. I know I have the system management role assigned, but I guess that isn’t enough.
How do you guys handle the topic shared mailboxes on ActiveSync devices - specifically deploy an additional mailbox (which could be a shared mailbox) for iOS (native, since to my knowledge it is currently not possible with iOS Email+) and Android enterprise Email+ (one additional account possible).. is this even supported from Microsoft? As I understand it is not possible to map a shared mailbox via EAS. How do you handle this? Do you get that often as a use case with customers?
*Thread Reply:* As long as the shares mailbox has an ad username you can deploy it and access it via activesync.
You are limited to only 100 devices though as this is the maximum activesync devices exchange will allow on any single mailbox.
We only do it for very occasional requests but deploying down the account with credentials preloaded into the settings.
*Thread Reply:* But does a shared mailbox have a password? Because It gets mapped automatically without using credentials within Outlook. It is not an AD user account, right?
*Thread Reply:* Not natively but you can convert it to a different what is essentially a service account details.
It will need its own licence though.
*Thread Reply:* Shared Mailboxes are more and more requested by customers. We are using the native email app on iOS. It's working well with Kerberos. There is also a known-iOS issue if multiple exchange profiles are using the same activeSync address (sentry.mydomain.com), so as a workaround we are using DNS aliases to make sure there is no synchronization problem, e.g. sentry1,sentry2 etc. pointing to the same IP address. Of course the SSL certificate has to include SAN attributes. For Android Enterprise we recommend the setup with Email+. Also working fine with Kerberos. In all cases we need to manually allow the activeSync association, since the device is not registered with the same user ID has the mailbox. Drop me an email if you need more information!
*Thread Reply:* BTW: mobileIron has the shared Mailbox feature in Email+ iOS on the roadmap since more than a year...and it always get postponed.... so I have some doubts it will be ever implemented...
*Thread Reply:* Yes I think this is on the roadmap for Outlook too... They've released the feature to access the shared calenders a few weeks ago. So mailbox access should follow.
*Thread Reply:* Wow Alex, that known iOS issue passed by me, thanks for the info! Do you have a reference for that bug? So you did enable the shared mailbox user accounts and then use a costum attributes for the passwords within the exchange and AE Email+ configs, right?
*Thread Reply:* @Alex Chappuis this is what we did for those situations as well. Happened to have a wildcard certificate, so just created a new DNS entry and forwarded to the Sentry. Administrative Assistants were never so happy as they were when we rolled that out.
*Thread Reply:* @RobE I don't have any :apple_icon: tracking number but just try to distribute two configurations on a single iOS device (with the same backend URL) - you will see that iOS is mixing the inboxes and does not behave as it should! we don't need any password since we are using Kerberos. We are using dedicated SCEP template with hardcoded User UPNs and DNs. That's the beauty of EMM Admin's power 😲 the SCEP Master has simply access to any mailbox (this is btw a risk that has to be explained carefully to the customer). We did not need custom attributes. Just hardcoding some parameters and using the variable $NULL$
*Thread Reply:* Right, should have read Kerberos in your posting 😂
We’ve got reports that the Mobile@Work client is not available in China Apple App Store. Anyone else heard this? The Pulse Secure VPN client was just restored to the App Store in China. It took over a month to get that sorted out....now this! 😤😡
*Thread Reply:* We just got confirmation from Apple that the client is no longer available in China. This is what our users are seeing:
*Thread Reply:* there used to be a similar issue for MI tunnel back in time, it's been replaced by MI Centaur: https://itunes.apple.com/us/app/mobileiron-centaur/id1315143363?mt=8 Or https://community.mobileiron.com/docs/DOC-7346
*Thread Reply:* I don't know if there is also an alternative for M@W
*Thread Reply:* you should ask MI directly!
*Thread Reply:* We’ve got cases open with MI and Apple. The workaround for us will be using clientless (ireg) and pushing the client using VPP.
*Thread Reply:* @Phil Hackett In that scenario, would the client derive from a US-based App Store or the China instance?
*Thread Reply:* If it tried to pull from the China instance, wouldn’t it fail?
*Thread Reply:* Might be time for MobileIron to update the “Mobile@Work In-House SDK” offering
*Thread Reply:* https://community.mobileiron.com/docs/DOC-9162
*Thread Reply:* Symptoms: We have received reports that the Mobile@Work application is no longer available in the Chinese App Store beginning on 21 November 2018. Resolution: MobileIron is investigating the cause of this internally and this document will be updated as new information becomes available. The Mobile@Work application remains available in all other regional App Stores.
*Thread Reply:* We are able push the Mobile@Work client using device-based VPP. Not sure if this works because our VPP account is from US?
*Thread Reply:* IIRC Apple said the VPP would follow wherever the top-level account was established
*Thread Reply:* It’s been awhile since that conversation was had tho
*Thread Reply:* We are assuming the same as well. I’ll throw this question to Apple account manager next week.
@Mathieu Beaugrand has joined the channel
Hello everyone! Just updated my 9.7.02-Core to 10.1.0.1…. now I am getting lots of Errors in the MIFS Log (which might be nothing, but are concerning nonetheless):
```Cannot determine the encryption version from cipher-text````
and ```[PolicyProfileBuilderUtils.getDecryptedString:50] (MIServerWorker-0:) Unable to decrypt:````
Anybody know what that means? Clients are checking in normally, all Services are verified OK..
Hello @fridomac - I can’t say I’ve come across those recently. I wonder if the Core is receiving a connection from an older host that’s running SSL or a lower version of TLS, etc. The two errors seem to go hand-in-hand (somewhat). Have you submitted a ticket with support?
Thanks for the reply @Woody No, as we only seem to have support through a partner (that has gone out of business since) and not through MI directly.
Ah, okay @fridomac. Sorry to hear that. I’ll check around and see if I can “decrypt” where those messages are stemming from.
Ok, any text around the actual error? That might point us what MIFS is doing at that time.
Had to leave the office early today, will check the logs tomorrow and post them. There was no text that sprang out to me as to what it was doing... I had a lot of devices checking in at the time after the Core was down for the upgrade... Thank you for helping 🙏:skintone3:
Work for MI. Lots of customers making that upgrade (a very very large one comes to mind) are having that issue. Will need to update the ciphers used in system manager. Will get more information when I have a moment.
Tldr; set ciphers to default and test in dev first.
"failure for a number of devices to check in was due to an SSL hanshake error when connecting to api.push.apple.com. This host is used for the APNSv2 which Apple will be switching to very shortly.
Reviewing the Core's outbound SSL settings, and comparing the cipher list with those successfully selected by api.push.apple.com it was found that Core did not have the appropriate ciphers selected for outbound connections. We set the list to the default recommended cipher suites (which, in the proess, removed a number of outdated and insecure ciphers).
After restarting the MIFS service we performed a fore checkin on your device and reviewed the logs for any failures. The device did check in, and no more SSL handshake failures were seen."
@Anders Ekelund has joined the channel
Hello everyone! Is there anything else to do in order to restore a MI Core from a backup file than going to System Manager --> Management --> System Backup, selecting the file and clicking on “Restore”?
Required:
@Rob Thank you for the answer. I did that by accident, after the first upgrade from 9.7.0.2 to 10.0.1.0 i rest the ciphers to default, and then did the upgrade to 10.1.0.1. Today everything seems to work fine, devices checking in etc.
Perfect! Glad it's working now and happy to help!
@Denmaru if all you are doing is restoring a Core from the system manager you will just need to make sure devices are not checking in, downloading apps, registering devices, etc while this is happening. I am not sure why an additional new Core VM was suggested
*Thread Reply:* Wow that is news to me. What about migrating an existing Core with round about 10.000 devices to a new Core on a different location ? My plan would be: create a new Core VM (same FQDN) on the new location with the same software version, set all the Firewall rules for the new Core. Export a System backup from the old Core and import the backup into the new Core. Last step switch DNS over to the new one.
*Thread Reply:* Just make sure, when you restore the backup, to select "Exclude System Configs on Restore". Assuming your new Core in a different location, will have a different system config (IP address, interfaces, routes, etc.)
The only error message I still get is 2018-11-28 15:02:33,823 ERROR [Request.parse:1581] (http-bio-127.0.0.1-8083-exec-1031:) Error in status : ERROR
2018-11-28 15:02:33,823 ERROR [Request.parse:1582] (http-bio-127.0.0.1-8083-exec-1031:) Response Error : <?xml version="1.0"?>
<!DOCTYPE plist SYSTEM "<file://localhost/System/Library/DTDs/PropertyList.dtd>">
<plist version="1.0">
<dict>
<key>CommandUUID</key>
<string>UUID redacted</string>
<key>ErrorChain</key>
<array>
<dict>
<key>ErrorCode</key>
<integer>12021</integer>
<key>ErrorDomain</key>
<string>MCMDMErrorDomain</string>
<key>LocalizedDescription</key>
<string>&#8222;ScheduleOSUpdateScan&#8220; ist kein g&#252;ltiger Anfragetyp.</string>
<key>USEnglishDescription</key>
<string>&#8220;ScheduleOSUpdateScan&#8221; is not a valid request type.</string>
</dict>
</array>
<key>Status</key>
<string>Error</string>
<key>UDID</key>
<string>REDACTED</string>
</dict>
</plist>
*Thread Reply:* I see this error on many Core 10 servers. I always assumed this is because the device(s) might not be supervised (and the Scheduled OS Update command is for supervised devices only)
*Thread Reply:* Might be, we still have some unsupervised devices (one of the tenant of our MI server does not believe in DEP and finds it “too hard”)
*Thread Reply:* Yeah, in that case I would ignore the error.
Which I think is something related to german localization….
Hi everyone! MI Cloud and AAD integration with ADFS. users and groups are synced ok, and Mobileiron app settings should be fine. When logging in to eu1.mobileiron.com its redirects to ADSF like it should. After that error: AADSTS65005: Misconfigured application. This could be due to one of the following: The client has not listed any permissions for ‘AAD Graph’ in the requested permissions in the client’s application registration.
*Thread Reply:* This is resolved! we double check everything and there “www” missing in identifier (entity id) url
I’ve done a few of these before, but never seen this kind of error message🤔
Sounds on the surface like a misconfiguration of the MI “app” in the azure ad infrastructure. Does it have the right API access permissions in AAD > Apps blade?
Logged a case with MI today, I’ve got two cloud customers with Galaxy XCover 4's on 8.1.0 not enforcing passcode 🙄
Cloud Mark. Bug reports show the config is set as a device policy but the devices just don't prompt to set it, Vs other devices on their estates.
Both legacy and advanced passcode also. Bizarre.
MI haven't responded to the ticket in a full day so far so no progress there.
Might be your issue? Policies do not apply on Cloud with R57 client
This isn't it I believe - but that's certainly the bug we found with enrolment a couple weeks back
Same result with the Go 3.5 version released a couple of days ago?
@Morten Lauritzen has joined the channel
Received an interesting use case and I would like your input: Customer has like 10 different On-premise applications, which are accessed via one Sentry with iOS Safari (Tunnel). One Tunnel VPN config exists where all the On-premise FQDNs are defined and Safari triggers automatically. Now the customer wants permissions which user can access which backend application - like group a is allowed on backend a and group b is allowed on backend b. Of course different Tunnel VPN configs can be created for these user groups, but that that will not stop the user from triggering the Tunnel manually and enter the FQDN manually. Because a user from group a would also have the Tunnel app and the AppTunnel cert on the device and could therefore access backend b (If it is not possible to configure these permissions on the backend) I believe this is not possible without MobileIron Access - not even sure if it is possible at all with MobileIron Access. Any thoughts?
*Thread Reply:* Agreed. You need an idp in there to govern this. Alternatively you link the AD group which grants access to the app, to the deployment of the tunnel. This means that once they have the rights to access to app, they also get the vpn.
No access, no vpn.
*Thread Reply:* Right, thanks Simon. I thought there could be a way to lets say create a tunnel config for backend a, trigger for backend a, but ignore everything for backend b. But that doesn’t seem to work. There will not be a user without Tunnel being deployed, because everyone is using it - only with different backends.
*Thread Reply:* Though I wonder... I’m not sure how mobile iron sets up the tunnel... can this be setup with a certificate for authentication?
*Thread Reply:* Yes every user has an identity certificate
*Thread Reply:* This is typical use case for an intelligent reverse proxy such as F5
*Thread Reply:* Sentry is not designed like this
How about making sure people only get access to the apps they are allowed to use? Even when they somehow download the apps themselves the Tunnel would not be triggered, not even when they enable the tunnel themselves. So, make sure users only have the apps they require.
If only Safari and webapps: indeed, create separate tunnel configs. Even when they manually enable it and type the url, the vpn will not be used as safari is not instructed to do so.
*Thread Reply:* Yes, agreed. In my case it is only Safari. Ok, then I have to take a look into the Tunnel VPN test configuration for missing or wrong settings, because right now I only configure one backend but manually entering another backend also works.
*Thread Reply:* You have to restrict the safari domains so that only the allowed app / url is allowed. The rest will be send to the internet and not the tunnel. So, be more exclusive/restrictive.
*Thread Reply:* How exactly would you restrict the Safari domains within the VPN configuration? I don’t see how this can be achieved and the Tunnel guide is not much help either. Tried it like this:
*Thread Reply:* Never connect for forbidden backends and connect if needed for allowed backends
*Thread Reply:* The guide says for on demand rules: “VPN on-demand rules are applied when the device’s primary network interface changes, for example when the device switches to a different Wi-Fi network”..
*Thread Reply:* That screenshot does not apply to Safari domains, it only applies to the Per App vpn connections. Below that you would see a paragraph called Safari domains. Here you would enter the domains. Say the domain is domain.com and you would like to grant users access to appA.domain.com but no other hosts in that domain, then enter in the Safari domains appA.domain.com. If you enter, for example, domain.com, the vpn will be triggered and the user can access any host within the domain.com domain.
Last thing: this should effectively be handled at the application backend level. If a user is not authorized to use it on the application level, it does not matter if they can get there; they would not be authorized to use them anyway.
*Thread Reply:* Agreed.
This should be all controlled at the app access level. If you're not approved to use it, then you shouldn't be able to login even if you can get to the login screen.
Common sense
*Thread Reply:* Totally agree with you guys! 👍:skintone2:
anyone know of a cli command that would export an .csv to an SFTP for inventory export?
*Thread Reply:* You mean a way to automate device list export to an SFTP?
*Thread Reply:* I would say Assemble task + save to an SFTP drive
*Thread Reply:* For completeness, this is also possible with IronWorks (https://ironworks.io/) but with the added disclaimer that this is our solution… 🙂
Cloud R58 is rolling out, EU1 has it. COPE support for Android is there also, and it’s ever-so-slightly smoother than Core!
@here MI Cloud R58 has pushed COPE for AE as a default config applied to the Android device group. I’ve replicated in three tenants (1 of those customer). Any work-managed deployment will default, by the looks, to COPE if the device is 8.0+.
For any AE customers, this needs to be unassigned from the Android group before they enrol any further devices.
Zero impact on Work profile deployments as it only affects work-managed. If they want COPE they can leave it as is, but I'd generally expect a bit of planning before turning it on!
@Mirko Bülles has joined the channel
Anyone familiar with this? https://community.mobileiron.com/docs/DOC-7604 Came across a Core 10.1.0.1 today where this is enabled. iOS users can‘t access Apps@Work via Weblicp, Certificate prompt and user prompt exactly like described in this KB article. Have not moved the port to 9443 yet, disabling cert based auth within the Apps@Work settings didn‘t help. I thought this would be fixed with 10.x? Has anyone come across this?
Not seen this yet, as we're not using mutual auth for our customers yet.
Guys do you know if Wiko devices (Android - never heard of it before) are supported with an MobileIron Exchange config - it seems like there is no supported native client on these devices. https://de.wikomobile.com
*Thread Reply:* Sorry... Have to chuckle...
My wife is one of their in-house legal team... They're a French brand (2nd most popular brand after Samsung here in france) and their HQ is here in Marseille!!
They do support Android Enterprise with Gmail, can't speak as to mobileiron though but shouldn't see why there would be any issues.
*Thread Reply:* @Simon Hardy-Bistagne does she want to send a few samples my way for testing? 😁
*Thread Reply:* Shouldn't see why not. I'll get her to drop their PR folks a request. Will drop you a PM
Anyone have experience dealing with orphaned certs and deleting them from iOS devices? I recently retired my device and RE-enrolled it
Apps@Work keeps giving me this. If I tap the bottom cert a ton of times it works but I can’t figure out how to delete the top cert
Pretty sure based off the # it’s the older one from my previous enrollment but it got orphaned on the device. I just can’t manually find it anywhere to delete it
You can’t delete them as you do not have access to the keystore. Issue seems to happen to random retired devices. Only thing you can do is a factory wipe.
*Thread Reply:* You could try and repush the Apps@work certificate profile as detailed here: https://community.mobileiron.com/docs/DOC-1957 But that never seemed to fix it at customers and was only resolved with a factory wipe.
*Thread Reply:* Ouch that is not fun, I heard rumors the Cisco AnyConnect app was actually able to find and give users the ability to delete an orphaned cert. worked for me prior to iOS 12 but only recall using it twice
*Thread Reply:* It has been at least a year since I used it but here are the steps I used with Cisco AnyConnect
*Thread Reply:* 1. Download Anyconnect, 2. Select diagnostics at the bottom of the screen, 3. Select Certificates, 4. Select edit at the top right, 5. Select the red circle with the white dash for the cert you want to remove, 6. Confirm by deleting delete to the right of the cert, 7. Select Ok
*Thread Reply:* Thanks @dustinclark. Same steps I used to do... currently it’s not seeing the orphaned cert though.
Duplicated UserIDs: 1 Core with 2 LDAP settings/connections for two different domains - the old domain and the new domain. But the UserIDs are equal across the domains. Not supported, right?
Depends, if you need the 2 domains for user migration you can have 1 of the 2 accounts disabled and change to ldap search filter to not include disabled users. Other option is to change the UserID property in the LDAP configs to UserPrincipalName instead of samAccountName (if the UPNs are unique of course).
See: https://community.mobileiron.com/docs/DOC-1849
Also make sure not to use groups with names that exist in both domains. That will cause another set of headaches...
What is the benefit of using an Enterprise Connector for LDAP with Core? The documentation states that the LDAP servers are still configured like without the Connector by using either LDAP or LDAPs (Services/LDAP) - but I don’t have to open 636 or 389 because of the Connector which uses https, correct?
*Thread Reply:* It’s so that you don’t have to expose your on-prem AD servers to the public internet.
*Thread Reply:* You mean in case of Cloud, right? We are using Core, so I don‘t have to publish my AD servers for LDAP requests - at least I would have to open the ports for the DMZ if Core sits only in the DMZ.
*Thread Reply:* you would have to open up the LDAP port on the firewall between DMZ and your AD server. With a connector on the same side of the Firewall as where your AD is you don’t. the connector, opens a port 443 connection to the Core. the firewall sees this as an inside out connection. the LDAP traffic from the core to the AD server inside that 443 connection opened by the connector is considered return traffic. When configuring your LDAP servers you do not have to tell Core there is a connector. If core cannot reach the LDAP server directly it will check if there is a incomming connection from a connector and will try that one to connect to the LDAP server. you can even setup multiple connectors for redundancy
anyone know the best way to push conference room cals to an iphone?
And you can put comma to pass through the conference room number
Anyone experience with Connector version 10.1.0.0? It seems that this version has a memory leak that causes Connector Service to reboot every 1-5 hours. We also have Connector with 9.x in another environment with the same setup and they are running stable. Unfortunately, not receiving much feedback from MobileIron. I did a clean installation because the Update didn’t work
*Thread Reply:* Update to 10.1.0.1 did NOT fix the problem. Still same errors; 2018-12-18 08:09:08,904 ERROR [systemWd] (ECSystemWatchdogThread.mainServiceLoop:80) - Some threads not healthy for service: ECServiceHealth:ldap, numThreads - Configured:4, Created:4, Running:3 Exception in thread "ldap2" java.lang.OutOfMemoryError: Java heap space
Re-installation is the only solution i’ve used for that, not enough time to troubleshoot this
But it was a clean install on both without import of configuration. installation following the MI instructions and with the same settings as before. And same problem on two connectors.
I had this issue sometimes on earlier versions, but couldn’t test 10.1.0.0. I guess you’re stuck with that issue until MI solves it. Can you install an earlier version ?
Yes, did a rollback first time, but I have another issue with Integrated Sentry and O365, where MobileIron asked me to upgrade, so I am kind of stuck with version 10.x. But monday I will update to 10.1.0.1 and see if it gives any changes. I know that other customers have problems with 10.x concerning update from 9.x to 10.x where the update dont work (just comes up with 9.x after reboot).
Hey Ben - we use horizon workbench for our dev VM's/escalated priv jump boxes. What's up?
trying to create a managed app config by decoding their air watch docs
however it looks like it is going to configure then stops
`<?xml version=“1.0” encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd“> <plist version=“1.0”> <dict> <key>servers</key> <string>vdi.mycmc.com</string> </dict> </plist> '
The value following "version" in the XML declaration must be a quoted string.
That checks out. Are you able to get the app log by any chance?
Thing that sucks is we now have a whole dept down
hi all how can I restart just my port 443 instance of tomcat
@macbentosh service tomcat stop and then service tomcat start. Depending where you are at in the CLI you could instead do service tomcat restart
Anyone ever had a problem where the MIFS will randomly crash every two weeks and MICS stays up ? There is nothing in the logs and a reboot is enough to make it run again, but I’ve never seen stuff like that. It’s a small server with 50 iPhones so not even that busy !
If so, there is a known issue with Elastic Search crashing the Core: https://community.mobileiron.com/docs/DOC-8444
Always wait for the service pack, aka the x.1 release. JK!!!! Sort of 😜
*Thread Reply:* We’re about to do this with airwatch and intune...
Interested to hear your thoughts
*Thread Reply:* for now I'm testing the API calls
*Thread Reply:* we will certainly configure it in preproduction in january
*Thread Reply:* We did it @ Kindred about two years with Core. Included some custom SAN values in the certificates for ISE to identify ownership of device to assign accordingly. Was a pretty clean setup. @Jonathan Henson and @japple can speak to how its been behaving over the long haul.
*Thread Reply:* FYI, the API call is case sensitive and this one works: /api/v2/ciscoise/devices?paging=0&querycriteria=macaddress&value=A85C2C317842&filter=all
*Thread Reply:* le "C" of querycriteria is lower case
I'm having issues to filter the API calls with the defined request params
https://{{server}}/api/v2/ciscoise/devices?paging=0&queryCriteria=macaddress&value=A85C2C317842&filter=all
Assuming your are querying for the MAC address of the WiFi interface, does the wifiMacs parameter work instead of macaddress?
Scratch that, that is a v2 API only, not ciscoise.
Same issue for me. Tried it with Postman and tried to use udid, imei and macaddress. All return the complete list of active devices...
Cisco ise integration documentation was non-existent until I asked for it a couple of years ago. Seems like they have not updated it since... guess you will have to report a case
Already reported a case, I also noticed that with any filter
Hello! Just had a not so nice talk with our network admin, who showed me a report from his Firewall, which said that my core and the 2 sentries seem to have connected to known Command and Control-Servers for Malware… Has anybody seen something like this and what can I do? (Core is Version 10.1.0.1, Sentries are 9.3.0).
*Thread Reply:* Afraid I can't help with the remediation aside from investigation of the destination ip to ensure it really is a known CNC server and raise it with mobileiron.
Do you have the destination address of the CNC service it's connecting to?
*Thread Reply:* I wouldn't be surprised if this were a flash positive
*Thread Reply:* Thank you for the answers. I hope it is a false positive, too. Will try to open an issue with MobileIron and check with them.
*Thread Reply:* In the report it looks like this:
*Thread Reply:* It looks like incoming and not outgoing connections, correct? Because the source IP are not the MobileIron servers (I assume these are the ones covered in red)
*Thread Reply:* Are you sure the source IP addresses are in use by your MI servers? I see 4 addresses and you say there are 3 servers.....
*Thread Reply:* Deployment Docs still state that the only outbound connection Sentrys should make by default (obviously changes if you have hosted email/etc): support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log
*Thread Reply:* Agree with @Mark Vonk and @Almar Diehl - Those look like inbound requests from external hosts attempting to connect to the Sentrys on TCP 80
*Thread Reply:* Yeah... I'm even more sceptical now I see them...
From the ip's I see your sentey is being scanned on those ports by someone hosted on an Alibaba cloud service.
Looks unlikely that you've actually been compromised.
*Thread Reply:* @Almar Diehl One IP was listed twice, that´s why there are 4 lines (there are pages full of these lines in the report)
*Thread Reply:* Anyway, port 80 (incoming, so from Internet to the Core and/or Sentry servers) should not be opened. Block by default. There is nothing running on port 80 anyway, so there is no harm. As Simon said: the 4 IPs are from China (Tencent Cloud Computing mainly). So nothing really happening, they are just trying to find a weakness. In all honesty, it would be surprising of your firewall did not detect such behaviour continuously....
*Thread Reply:* Yes, 4 different source IP addresses. As said by others this looks like an attempt to contact your MI servers from the internet on port 80.
*Thread Reply:* The firewall (Cisco Firepower) was implemented just in the last few months, so we don´t have a feel yet for what is “normal” and what is not. Also, the firewall rules for the sentries were put in place when we first installed them 6 or 7 years ago, so it is possible that port 80 is open (might have been necessary then). Will check that and close 80. What I wonder is how it gets the idea that there were outbound connections to those servers when the report says they were inbound….
*Thread Reply:* I think it is just your network admin that got that idea, not the firewall 😁
*Thread Reply:* Might also be 🙂 But it is listed in the Malware report from the firewall as “Intrusion Event - Malware Backdoor”
*Thread Reply:* Port 80 has never been a requirement in the time I have been working with MobileIron. Neither for the Core or the Sentry. Despite that, it might be a good time to check the firewall rules for MI servers and update them. Some port are no longer needed or used (like 8080, 9998) which where needed 5 or more years ago.
*Thread Reply:* Yes, will check that with our firewall admin, now is a good time for a review of these rules (many of which are outdated, as you have guessed correctly)
*Thread Reply:* If the servers are infected with Webshell malware, the malware might be opening port 80 to allow for remote administration of the server. See: https://www.us-cert.gov/ncas/alerts/TA15-314A The message from your firewall and engineer are not really clear. Better have them check and see what's really going on (ie. what is actually seen from a dataflow perspective)
*Thread Reply:* Just tried a portscan against the three servers, port 80 is open on all three…:-(
*Thread Reply:* Have you network admin block port 80 to all MI servers
*Thread Reply:* That would be step 1. Step 2 would be to determine if your servers are infected. It could have previously been infected; the malware abuses common ASP, JSP and PHP code execution. So they could have used that on the Core/Sentry using JSP (MI uses JSP on Tomcat) to infect the servers with the malware. Best thing to do would be to involve either MobileIron support or some security expert with Linux knowledge and have them assess if they are infected.
*Thread Reply:* Agree with Mark. As the ports are open, it's better to close off those ports immediately and monitor your server activity out to the web.
Also get mobileiron involved to check it out
*Thread Reply:* Will open a call with MobileIron Support and have them take a look, Thank you for your replies!
*Thread Reply:* Try and see if your firewall admin can save the logs (hopefully, the full HTTP requests are logged). That would make it easier to find out if the servers are infected. Once the malware is installed, the people will try to access the servers using port 80 and leave files behind that do not belong to MobileIron. With the HTTP requests in detail, it would be easier to find the files. It did not look like something serious, and hopefully its not. But it might be more serious than I made it look like before. Good luck !
*Thread Reply:* And let us know the outcome please.
*Thread Reply:* PS. also make sure to configure and use the ACLs (portals, API, etc.) on the Core (System Portal) if you haven't done that already.
*Thread Reply:* on the core CLI (tcp), I see lots of connections on port 80 (SYN_RECEIVED) to an address in California (23.234.39.87)
*Thread Reply:* will check the other recommendations and will report back tomorrow night….
*Thread Reply:* A brief search says that ip belongs to a Chinese owned, us based hosting company who target mostly Chinese customers who need hosting in the US.
*Thread Reply:* That’s what I could find out, too. Thank you!
*Thread Reply:* OK, just heard back from Support, there is no nefarious things on the Core and Sentries, and we closed Port 80.
*Thread Reply:* Great to hear!
I think it's a good warning to all of us to make sure that we have a regular review of open ports. Especially if we have had our servers in place for a while.
Anyone using device spaces to separate different branches/locations? I am curious which permissions you give your device space admins, any best practices suggestions and how do you deal with the limitations on Core regarding no lockdown policies or Email+ configs unique for device spaces.
Mainly using Spaces for local IT admins for basic admin tasks or troubleshooting
Any ideas why sometimes the APNS and AppCommunity services shows failed on Core? (UnknownHostException), and most of the time it shows success?
*Thread Reply:* How many DNS servers did you configured and are these ones internal or external?
*Thread Reply:* you should look if they are always able to resolve internet names. I've not seen such issues an "UnknownHostException" is due to DNS resolution
*Thread Reply:* Thanks I will.. makes sense
Does anyone have any insight as to what happened to the MI Insight app? It seems to be removed from both AppStore and Google Play without any announcement, probably due to incompatibilities with latest Core releases.
*Thread Reply:* Darn! That was a fairly useful tool for basic remote administration
*Thread Reply:* #MobileIronTeam, any insight?😊
*Thread Reply:* I believe that they stopped development on it a while back. I left mi about 8 months ago, so my info may be out of date, but that was the status when I left.
How do you guys handle monitoring and alerts with MobileIron? SNMP with Nagios, is there a document which checks can be used? Also Event settings / system alerts for admins: are you using a dedicated alert address or just the known admins directly? Thought I would create local admin account with a email address which is a distribution list for all the admins or ticket system, any good?
Found this, but the links is not working anymore
https://community.mobileiron.com/docs/DOC-1843
And/Or MobileIron Monitor (which lack of some features for now but very useful for deep insight on Core performance)
In the privacy policy you can set if SMS or Call logs are enabled. If enabled, are these logs part of the Core Showtech?
*Thread Reply:* ok, and do you know where to find these logs and how to gather them?
*Thread Reply:* This is legacy. It was only for Samsung KNOX API devices (old APIs known as SAFE). You will need to create a SMS and Phone call log system (email, syslog, splunk, etc). Check the Android management guide for your Core version
*Thread Reply:* Mark are they deprecated in Knox now? Presumably when core supports the unified APIs this will work with Samsung in AE also?
*Thread Reply:* Not sure, as these are not KNOX APIs but former SAFE APIs. Not sure if these will continue to work (without Device Admin) with KNOX 3.0 or higher.
*Thread Reply:* yikes, this is pretty interesting news! Thanks @Mark Vonk 🙏
Anyone else having issues with failing APNS services running Core 10.2? 10.1.0.0 showed success - after the upgrade to 10.2 the service fails. Ciphers are default.
No issue here with 10.2. Maybe apply the defaults again and reboot the server. That has fixed it in the past
Any ideas why after stage for install reboot Core doesn’t apply the upgrade? 10.0.0.3 was downloaded successfully, but Core is still 9.7.0.2 after the reboot.
Had the same on our server, would never upgrade when performing the stage for install/reboot from the System Management portal. Performing a Software Update and Reload on the CLI solved my issue.
Ah, @Almar Diehl guess there’s some broken linkage in the UI. Good to hear initiating via the CLI worked!
Looks like it is not enough space within / 14G available, but 15G recommended
*Thread Reply:* Yes, this is a known issue. It does not warn you, even not during the Verify stage. There is a document on the communities site on how to enlarge your partitions.
*Thread Reply:* Thank you Mark. Yes I have seen that document and I gotta say this is pretty rough and tough.
*Thread Reply:* Yeah, take your time and make sure you have backups and snapshots. If you don’t want to take the risk: set up a new Core, same version, with enough disk space and perform a backup of the old and restore it to the new server after shutting down the old one. That way you always have a fallback scenario.
@MichaelM21 Support should be able to help you clean that up.
@here Curious - Do we have any folks here using Okta with MobileIron for SSO?
Hey Eric, I know Fredric from PS has some customers who does.
If yes, two questions:
1) Would you find value in utilizing Okta’s Universal Directory via an LDAPS Interface (eliminating need for Connectors)?
2) Would you find value in Okta lifecycle management (aka provisioning/de-provisioning) (via SCIM) into Core and/or Cloud?
Also together with AaaS as where OKTA acts ad IDP
@Mirko Bülles Nice! I thought we had Fredric on here.. I may send him a personalized invite 🙂
@Mirko Bülles Okta can Del Auth to Access, both running on Sentry and AssS. Is that what you were getting at?
OKTA can be used as IDP with AaaS, I have not used it that way, only with ADFS, but Fredrik does. So best it to ping him. But the only time I would use this if the customer does not wants auth traffic to flow through Sentry. Otherwise I would always stick with Access, instead of Access with DelDP as you lose some features.
Woody #2 would be useful for us if it also let us decide how to retire in core / cloud.
For example we may want to apply a label if Corp owned train straight retire if certain conditions apply
Nice feedback @Kiran Patel! Will add to my notes 😁
Does anyone know on the fly how far back the audit logs remain on Core?
The setting is configurable through System manager portal. I think by default it's 3 months
@Marc van der Kooy has joined the channel
Is there a negative impact when location based checkin is disabled within the Privacy policy?
Time intervals between automated check-in and device compliance checks will be increased.
Apart from that I don't believe there is much else.
What is the actual purpose of that feature?
To use the change in your location to trigger the said checks rather than relying on the timed automatic checks.
It means more regular checks while you're using the device rather than relying on fixed times when the app checks.
This means that the time between becoming non compliant and the app detecting it is shortened.
Short Email+ feature question: 1) is there a search option within the Email+ calendar? 2) is there a calendar week view within the Email+ calendar? I am guessing feature request!
Thanks for the feedback. On Android enterprise Email+ I cannot find anything about calendar weeks. Are you referring to AppConnect?
No, I am using the AE version, see the screenshot.
*Thread Reply:* I don’t see the calendar weeks in your screenshot either!
*Thread Reply:* Here you can see the calendar weeks on the left hand side..
*Thread Reply:* Ah, now I see what you mean by ‘Calendar weeks’. No, this is (still) not available.
*Thread Reply:* But what I see in your screenshot is in email+ the month view. In my screenshot you see the month view in Email+ 3.0 (beta), that also includes the weeknumbers!
@Almar Diehl Feature Request (ID # 42014) regarding "search box" open since 29.03.2017...
@Nicola Good news, calendar search will be available in Email+ 3.0, currently in beta.
Has anyone seen Screentime get restricted with mobileiron cloud? If so, do you happen to know the restriction that causes it?
Found this in Apple’s documentation, so that correlates to “Allow user to enable restrictions in Settings UI” in the iOS restrictions policy on MI Cloud.
anyone configuring work space with a managed app config
Do you mean device spaces or Work Space as in Android enterprise work space?
@Martijn Schraven has joined the channel
the store url to workspace for ios @MichaelM21
Has anyone in here had to use Threat Defense with MI Core 10.1?
*Thread Reply:* I wouldn’t say we had to but we are testing it right now for a few users in Prod
MobileIron issued a press release about their new SVP of product management. Anybody read any significance into this? Or just business as usual? https://www.businesswire.com/news/home/20190116005042/en/MobileIron-Appoints-Brian-Foster-SVP-Product-Management
They also announced a new CMO too at the same time.
Both have backgrounds in Symantec and McAfee so I think there is a pattern here... It looks like there trying to get some more experience when it comes to larger security vendors up at the higher levels.
I figured they had to back-fill John Morgan’s role and Brian happened to be free. Business as usual as far as I’m concerned
Brian have experience at McAfee and also a company called Neustar which works with identity protection.... Just to say 🙂
Ah, good ole Neustar. They had some cool offerings back in the day. Guessing they’ve innovated since then and are still relevant
Does anybody know If Zebra (Android 7) devices can be enrolled as Android enterprise with Core or is there a certain difference?
Zebra Android 7 are as far as I know GMS enabled so: yes
Yes but be careful. Most of the zebra devices come in 2 flavours, one with GMS and one without.
Make sure you have the right ones ordered.
Ah got it. Is there a way to find out in the device details if Play Services are available on the device?
If the play store (or any other Google's app) is installed then you have GMS
Yes, we’ve got quite a few Zebra TC51 / TC20’s which are registered with Core as Work-managed / COSU devices. They are running Android 7 (GMS enabled).
Thanks for your feedback. Found out that the customer bought Zebras without GMS, so no Android enterprise, only DA. Therefore they have installed M@W manually via APK. After the devices have been enrolled, can new version of M@W been pushed/managed via Core? I guess so.
As long as they don't upgrade past Android 9 in the future you should be fine. Just remember the normal limitations of managing non GMS devices.
Right, I have already mentioned the DA deprecation. What normal limitations are you referring to?
Normally just a delay in processing commands... I'm not sure if MobileIron has it's own alternative to google push notification services like AirWatch does or if you issue wipe commands or password resets there might be a delay until the device sync's
Core Security Policy - whats is the reason for using „out-of-policy for X number of days“ and „out-of-contact for X number of days“ together? Since „out-of-policy“ is a much shorter value, this will always hit first. Because how can the device be out of contact but still receive policy changes? I don‘t grasp the sense behind this.
For us it would be so that you can apply different actions based on the status.
For example. a device out of policy due to a blacklisted app we would remove mail profile right away, but if the bad app isn’t removed after 10 days we’d remote wipe the device.
For out of contact after 30 days we would assume the device is no longer is use and simply send a straight wipe command and delete the device record.
Very interesting, thanks Simon! 🙏 ah now I get it, out of policy doesn’t literally mean when a policy is out of date! 😂 It means when the device is out of policy like you described with an app control rule violation for example! Stupid me 😂 ..how do you automatically delete the device after like 30 days? Custom compliance action?
No, that is not correct: out of policy for X number of days means that when the device does not have a policy applied successfully in X days. So for whatever reason the policy is not applied onto the device. Could be due to the fact the device is not communicating with the Core, but could also be because the policy fails the be applied successfully.
I was referring to this: “It means when the device is out of policy like you described with an app control rule violation for example!” From @MichaelM21 . This is not correct. This rule has nothing to do with being out-of-compliance
Are you guys working with Events on Core? I have created a System Event, but somehow the Admins don‘t receive any emails. Notification is set for Emails to Admins. I have picked the admins which have registered devices on Core. I have not selected a Label since it is not applicable for users. Any idea what is missing?
Not 100% sure as it’s been a while but I recall that the alert may also need to be sent to at least 1 admins device?
Not anymore @Kiran Patel @MichaelM21 is core able to send email via SMTP?
Yes is configured and the invite mails from Core are being delivered
@MichaelM21 Check Logs --> Events. Do you see the events there, with the correct recipient list?
Yes I can see the events with the correct admins.
Anyone facing issues adding SharePoint site on AE Docs@Work 2.6 with Sentry 9.5?
Quick one: why is the Registration PIN not in the SMS? (Core)
*Thread Reply:* Because if someone makes a typo in the mobile number to use it would send the registration pin to the wrong person, giving this person the opportunity to register a device.
*Thread Reply:* Makes total sense! Thanks Almar 👍:skintone2:🙏
Anyone else having issues with Polaris failing the license activation with Docs@Work? Firewall issue?
@MichaelM21 it is usually related to blocking of networks/ports on outbound connections
Does the activation with Polaris succeed on a open WiFi/Cellular connection?
In the AppTunnel rules applied to Docs@Work, do not tunnel everything ( . ) but only your internal domain (**.domain.intra). That way, the app can contact Polaris servers without going through the AppTunnel Sentry.
It’s impossible to use the ** sign between brackets in Slack apparently
But what I mean is: do not use the ** sign for the AppTunnel rule, use more specific rules that exclude external service domains
Good hint, thanks @Mark Vonk 🙏..on iOS D@W I used server.internaldomain.com, but on AE D@W I am not sure, there could be a **.internaldomain.com, but not the wildcard alone.
What happened to MobileIron Rooms? 😳 can conference rooms now be booked/added via Email+?
MobileIron Rooms, now that one goes back a couple years
What happens when a user certificate from a PKI will expire which is used for Exchange - will Core Auto-Renew the certificate or is this a manual process via Admin Portal?
Core will auto-renew the certificate.
60 days before expiration CORE renew the cert automatically
Hi there guys, Anybody ever tried to get the license/bundle data from a MI Cloud tenant using API calls? I’m not sure if this is even possible, since I can’t seem to find anything about this in the API document for Cloud. Tips are welcome if there are any at all.
Hmm @Tinus that’s a good question. I can’t say I’ve seen that option, but @Russell Mohr may be able to find out.
trying to update android clients to the new docs @ work and keep getting there was a problem connecting to the server when downloading
Coming from the Google Play store, right @macbentosh?
no APK downloaded from support.mobileiron.com
@Tinus no special licensing necessary to invoke API calls
unless you are setting a feature that you don’t have a license for…
@Tinus The APIs are different for the on-prem Core than for the Cloud version. There is a body of work planned to bring these into feature parity later this year, as part of the extensions to the CPS APIs (currently only in Cloud, and limited in functionality as well)
Our own IronWorks solution (for management reporting on MobileIron deployments) is currently limited to on-prem Cores and Connected Cloud integration for this very same reason.
We are looking forward to the new APIs, but they’re not fully there yet.
So, specifically to your question, feature bundle information is possible with API calls to the on-prem/Connected Cloud Core server, but there is no published equivalent for Cloud.
(We use this feature for our IronWorks licence calculator report)
@Tinus You can view in the GUI by clicking on Account info
I am interested in Use Cases for Compliance Policy Rules and Tiered Compliance - what are you guys using it for? Examples please 💪🙏
*Thread Reply:* Policy out of date, device not checked in, compromised, passcode not set... Likely more but can't think offhand
*Thread Reply:* I'm not sure if these map into MI, but for I have used the following regularly.
Compromised: Enterprise wipe Device last seen: Enterprise wipe after X days Encryption: Notification + Block profile > Enterprise wipe Roaming: notification email to TEM provider OS Version: Notification with update instruction > block profiles Passcode: Notification + block profiles > enterprise wipe Personal macOS: Block + Notify
We also have various compliance policies around lookout where unless the app is installed and active then the user is blocked from most profiles and notifications get sent, along with various actions based on threats detected by the MTD.
*Thread Reply:* Right, thanks Jason. Policy out of hand, device not connected to Core could also be used in a Security policy. But due to Tiered Compliance you prefer Compliance policies, right?
*Thread Reply:* Can't say I much use them.
We use them for delivering longer-term trend analysis and compliance/management reporting (with e.g. ISO27k and GDPR reports baked in), operational dashboards, licence optimisation (and hence cost-saving) calculations, and many other features. Typically we’re saving IronWorks customers 14-34% in MobileIron licensing costs, but that number is climbing rapidly as customers roll out our new bundle calculator feature.
Does anyone know a way to retire (not wipe like with the security policy) devices if failed passcode attempts reach a certain number?
*Thread Reply:* iOS: not possible Android: only Work profile devices act like this
*Thread Reply:* Probably a way with Assemble
*Thread Reply:* Nop, the number of failed attempts is not reported on Core, therefore assemble can’t use it
@Russell Mohr @Jason Thanks Russell, Jason, but I would like to incorporate this info in our system monitoring tool that we are using for reporting on all sort of systems. The current option indeed is to login on all of the customer tenants now and then, but I am looking for a way too automate that. Would be nice if in the future there would be a way to get this info thru API’s.
@Martijn Rijerse has joined the channel
Tip of the day: To be able to properly use MI CLOUD console with password managers you can put the username as parameter to the request like this: https://eu1.mobileiron.com/login.html?&uid=nicolas@miacme.com
Odd issue today folks. Seems to be 12.1.2. We have restrictions to disable passcode changes. We also have a policy to require a password. After a password is set at in the setup assistant when the restriction is applied the passcode is removed. Some of the setup assistance part is hear say as I have not had a chance to get my hands on a device.
What is the password requirement you set? Alphanumeric?
@Tinus Interestingly, I can confirm that the next batch of CPS APIs are now at feature parity across both on-prem Core (v10.2 and above) and Cloud.
is there a features parity between v1/2 standard CORE API with CPS?
We’re hoping to move completely across to CPS and are currently testing the new CPS APIs across both platforms. Watch this space for further announcements!
There’s still a lot of missing backbone functionality in CPS APIs as they stand, but the new MTQQ based messaging for app and location changes are quite interesting and worthy of further examination.
Is there an app limit in the MI kiosk @here?
I never heard about limitation on the number of apps
at some point you should be limited by the device hardware through 😄
@MichaelM21 there we go! There certainly won't be on the AE side, so it'd be MI if anything
*Thread Reply:* Thanks @Jason Bayton & @NicolasR 🙏
*Thread Reply:* Thats an automated cleanup; the same device for the same user has been registered on the Core multiple times. Core automatically cleans up the oldest registration(s)
I have a couple of devices (mostly Android) where the device name on Core (10.1.0.0) is blank. Is there a sync cycle involved in collecting the info or could that be an Android thing, any ideas?
*Thread Reply:* Any particular brand or type of device you are having an issue with? Never seen that before.
*Thread Reply:* All of them are Samsung devices, different models
*Thread Reply:* Was this fixed after you fixed the connection to Google wrt Android Enterprise?
*Thread Reply:* No that was a different environment
Has anyone had the need to initiate a MI Core LDAP Sync through the API? Anyone know if this was introduced since this page?
@here anyone run into an issue enrolling MacOS where the initial enrollment profile gives this error: “Profile installation failed. Unable to decrypt encrypted profile.” ?
Are you using Core or Cloud, send me a screenshot if possible, Mirko.
Would anyone have more information about this Android Email+ problem? https://community.mobileiron.com/docs/DOC-9664
There's no further info ATM. They're working with Google to understand why it was pulled.
already enrolled devices keep the app. only new installations are a problem.
Must wait then. Email+ Preview seems to be there, but i don’t know is it stable
Email+ preview requires a license, so it's not an option. Just waiting is all we can do. I'd be interested in knowing what MI violated to have it pulled.
There we are, they failed to plan for the new enforcements on SMS/Phone permissions and got taken down. Great to see Google sparing no-one in this initiative. The app should be whitelisted and back up soon (one would hope).
If anyone is using Access-as-a-Service, be sure to update your Tunnel Clients (being released today) https://info.mobileiron.com/index.php/email/emailWebview?mkt_tok=eyJpIjoiTW1NNE9EZzJORGMxT0dOaSIsInQiOiJZNytybXpNWVFJTEZobi9zTlRHR2tVMklMRUtjYUFmQzJ3MTQ4MHlHOU9pZExla3hKSUhaRGY1RXBoSkFZWGtCbmx5UUczTnZUaGxjaDFFUFFCakhKVjdETkJhQm9WaG1aSFBHSVJZU3hlRkpUc3Y4V3U1SWUwc3hlWVBYSytnMSJ9
AND anyone using Core on a version less than 10.1 with Android Enterprise, it looks like app management will soon stop functioning as the old Play APIs have been deprecated. Get updatin'
*Thread Reply:* Any known timeline about this?
*Thread Reply:* Any article about this old API case?
*Thread Reply:* You should've received an email on it: http://pages.mobileiron.com/DOGu10V0HIX00t0GlW0g0cI
*Thread Reply:* ok, this one, thanks 😃
Same for iOS APNS: Apple will soon deprecate the old protocol. Hence you will need to be on Core 10 or higher.
There's a lot of stuff happening all at once right now.
Can anyone explain to me what that indicates? We deploy a lockdown policy for Android, where these features are enabled. Not sure what disabled means in this context.
Left: Settings value (your policy). Right: What the device is enforcing. Icon: Match (✔️) or Not (❎)
So in that case the device doesn‘t enforce „allow unknown source“.. meaning it is disabled until the user enables it?
Not necessarily, you've also got usb storage and youtube showing as disabled on the device, which there'd be no enforcement of without a policy. Is the device properly enrolled with the policies showing applied? I'd think default security policies are in place while it finishes enrolling looking at that, but also is this the lockdown policy you're applying being referenced or just the first set of ❎ you've seen?
*Thread Reply:* I have enrolled the device via DPC, so it is work managed COBO. The lockdown policy is „Applied“, but a lot of values have the ❎
*Thread Reply:* But also some of them are ✅
*Thread Reply:* That which is currently blocked on the device according to the screenshot, can you test it?
*Thread Reply:* Re-Enrolled the device, looks better now.. weird.. thx.. do you have experiences with printing from the Work Profile? It looks like it is not working trying to connect a printer via Bluetooth from within the Work Profile.
*Thread Reply:* My only experience is either utilising cloudprint, or apps like the epson/hp print enabler. Beyond that.. I certainly haven't tested via bluetooth
*Thread Reply:* Found this: https://community.mobileiron.com/docs/DOC-9134
*Thread Reply:* Good catch! There's your answer then
Anyone seen this on Core: Authentication server at https://accounts.google.com/o/oauth2/token is not reachable
*Thread Reply:* Yep, this AE service test fails on our Core’s as well. It’s a known issue for Core 9.6-10.1. It should not impact AE device management. https://community.mobileiron.com/docs/DOC-8547
any idea why apps@work webclick gets pushed out to all devices again after a core update?
The URL changes with CORE version at the end ;-)
I never tried but I guess if you push Apps@work webclip via another config manually created and removing this value, it should work. Of course remove distribution via the System config
Never tested through, I just know that this parameter of the url is not required
Apps@Work needs a lot of TLC... experience compared to other vendors in the space is horrible
only part that was recently added that I like is pre-req apps but even that doesn't have a "download all" option that includes the current app you're trying to install
Has anyone ever heard of this if an AD user has to many group memberships that they are not able to enroll in MobileIron via M@W?
@Martin Hillerö has joined the channel
@MichaelM21 No and i have some exemple who working
I am setting up a AE Kiosk with Core 10.2. I register the device with a QR code. As soon as I register within the Mobile@Work client, the device is soon after reset to factory settings. My guess is that a profile change occurs and hence the device is reset. The kiosk config/policy is labeled to the device manually. Any idea if that is the issue and if so how I circumvent it?
The only reason that should happen is if the mandatory AE config isn't applied.
Another 10 point for Jason on the Android Enterprise leadership board! Thanks, indeed the AE config was not applied correctly.
so upgraded to 10.2 yesterday…VPP will sync but is not handing out lic.
Anyone have experience with MI Core LDAP sync hitting a 25% shift change and trying to figure it out form the logs?
I'm seeing a few of these in the logs but not many. ldap hash 3c323af94a7d2fd7bab67778fc87eb34 does not match db hash
Figure'd I'd poll the experts while support gets through 🙂
@Kiran Patel it shows in the LDAP sync log in system manager
Yup I've scraped through that but unfortunately not super useful / human readable
if it is in fact the threshold, its usually pretty clear.
Cloud and legacy Android question -
Where's the option to remove apps on retire? I went looking for it in the app config area thinking it was like iOS only to see nothing exists there. I've got a customer retiring devices on which corporate apps aren't being removed.
*Thread Reply:* Ughh turned out to be some massive query AD groups were removed from enough i users “member of” attribute even though we aren’t using those groups in AD. Learn something new everyday!
hate to do this but… @here upgraded to 10.2 yesterday. VPP install messages are getting sent to the device but the devices are asking for itunes login. These are Supervised DEP devices and have received apps from core before. Anyone out there experience any issues with VPP and an upgrade to 10.2 or seeing VPP issues in general? Our token for VPP checks out.
*Thread Reply:* If you're being promoted for login suggests VPP isn't taking precedence over the standard label assignment.
Have you tried renewing and readding VPP? Maybe on a test app try assigning only to the VPP label and not the standard? (That dual-label assignment was a bug)
*Thread Reply:* Not sure what you mean about the dual label part
*Thread Reply:* renewing VPP? Re-import the token?
*Thread Reply:* In core you assign the app to a label, then assign VPP to a label.
*Thread Reply:* Wasn't tooooo long ago you'd only need to do the VPP label and not the app label.
*Thread Reply:* we have a blanket vpp label called Apps …All devices that are eligible for VPP apps. Then we advertise the app to the people we want to with a different label
For immediate production issues, I would rather consult MobileIron support or your Mobileiron partner. That being said; sounds like the app is not pushed as a device VPP app, but rather a normal AppStore app; hence the Apple ID pop up. Sounds like the Core is not actually connecting to VPP. Reset the default cipher suites for outgoing communication on the Core and restart it. Renew the VPP token and make a change (buy 1 extra license for a free app) and check in the MIFS logs for issues.
@Mathieu Bernier has joined the channel
Yup I actually scanned the 10.2 release notes and they made specific reference to the TLS / cipher changes and a note about ABM support
@Jorn Erik Hornseth has joined the channel
@Manfred Bremmer has joined the channel
@Kjell Eilertsen has joined the channel
@Johannes Harbs has joined the channel
@Mikko Koljander has joined the channel
enabled TLSv1 and 1.1 and can push VPP. Did MI ever disable v1 in an update?
@Adrian Patrascu has joined the channel
@macbentosh port 8080 is now disabled ;-) Only port 443 for provisioning since iOS 12
@David Johansson has joined the channel
@Michał Konowrocki has joined the channel
MobileIron Authenticator works only with Access as a Service, right?
And it will not work when leveraging delegated IDP either.
I wonder if MobileIron will continue Access sentry for long time as there is feature difference
@Clark : authenticator will not work when Access as a Service is used as Delegated IdP?
Holy mother.. 😳 this is some bad news.. again! 😂 thanks @Mark Vonk
Why is that bad news? You're delegating your auth to MI Access and just let Access handle eveything. Device compliance etc
I am talking about MobileIron Authenticator App. If I can‘t use Two Factor Authentication when Access as A Service is used as Del IdP, how is this good news if I need a second factor?
If you use Access as a Delegated IDP, the authentication is not handled for all clients by Access, only the mobile devices authentication requests are handled by Access. Authenticator is used to authenticate other clients, not mobile devices.
And the gap closes.. 🙈😂 silly me, gotcha! Thanks, pretty obvious looking at it from that viewpoint. No more 🍺 for me on a Monday morning, jesus.
Hello Guys
Anyone has problems on auto-update on Android Entreprise applications on Work managed device ? none of our applications is updating automatically on Professional play store 😞 MI Cloud settings -> Install auto Local Android settings -> Allow autoupdate on any network
Haven't tested cloud specifically but no issues to date with Core
Hello everyone! Does anyone in here know if an iOS update (e.g. from 12.1.0 to 12.1.4) gets logged in MI, and if so, where?
You can use filter labels to track this. Just create filter labels for each iOS version, then when a device updates from iOS 12.1.0 to iOS 12.1.4, you will see the label change in the logs.
Is there a way to send system events to a distribution list instead directly to admins? (Core)
@MichaelM21 create a local user that has the email address of the distribution list and assign the alerts to this local user.
*Thread Reply:* Gotcha. The user needs to be an Admin? No registered device necessary for that user?
*Thread Reply:* You do not need to give the user any admin rights or register a device against it. Just in the event you are monitoring in the admins section search for the user.
@Marc Brandenburg has joined the channel
@Antonio Maiello has joined the channel
Actually I need to manage iOS Devices via jamf as we are already using for Mac
Now the question is can we connect iOS devices to corporate network
In our organization main issue is to connect to corporate network device should he be AD Bound
@System Admin who do you use for your Corporate WiFi?
Also, if this is specific to Jamf.. we could shift to #jamf
@Woody it's not basically jamf , is it possible for any mdm
So, what is being used for Corporate WiFi infrastructure?
If the MDM has integrations with the WiFi vendor, you could deploy a WiFi Profile with Identity Certificate and have the WiFi vendor check against the MDM/CA for validity, etc
It’s not technically a domain join (let’s be honest, mobile devices don’t really join domains), but it’s an automated means to access Company WiFi based on good standing with management, ownership, etc
@Woody correct in Mobile devices domain joined it's not possible or not the right word
So I want to understand how it's possible and how can we achieve the same
Good example would be Cisco ISE’s integration with something like MobileIron, etc
Cert-based auth (great UX), but checks against MI APIs when a connection is requested from said device
So is it possible in jamf...also what about AirWatch and SOTI
So, Cert-Based (and integration with EMM) really depends on the WiFi vendor’s functionality
@Woody can you please help me with CISCO ISE Integration more
Sure - There’s a document/guide for it that should help explain it a bit more
You can Google the EMM you’d like to integrate and see if there is a guide for it
@Woody looks perfect, but I guess this will only I'd organization using CISCO internet provider
Right. Each Wireless Vendor has their own features and 3rd Party integrations
*Thread Reply:* In terms of iOS devices and what EMM platform?
*Thread Reply:* @System Admin your best bet is going to utilize whatever 3rd party VPN service you have, deployed via JAMF (e.g Cisco AnyConnect. Pulse, etc)
@Woody I checked we are using CISCO Wireless HW
*Thread Reply:* I am not Sure just I come to know CISCO Wireless HW
*Thread Reply:* OKay @System Admin. Ask about your entitlement to ISE. That’s what would make the biggest difference when used with an EMM
@Philip Harrison (CWSI) has joined the channel
Where would you place the Reporting Database? In the DMZ or Internal? Since the RDP will not need to be accessible from the Internet, Internal should be fine - only Port 7443 for Core.
Internal or some kind of management LAN, depending on the customers environment
*Thread Reply:* Thank you @Mark Vonk . Self Signed SSL Cert also enough, right?
*Thread Reply:* Yes that should be OK. Depends on what reporting service will talk to the RDB using what kind of protocol. But self signed is typically ok
Looking for some assistance in troubleshooting a device that shows up in the mobileiron cloud admin console but is not able to be managed (message says MDM disabled when try to do something like a forced checkin). Is there a way where you can get the device communicating again with MI without going the route of completely wiping the device and starting over? Thx!!
Hi @Mark Vonk its an iOS device. Unfortunately, do not have physical access to the device 😞 Was told they were not able to delete the mdm profile on the device.
Are iOS devices supervised? Because the error sounds like the MDM profile is already removed. But “not able to delete it” sounds like the MDM profile is unremovable.
DEP, supervised or traditional? Maybe reenroll in the MobileIron App?
Most are supervised (e.g. DEP enrolled) but this one I need to confirm but appears to not be DEP enabled. Yes, its like its disconnected from Mobileiron yet the profile is locked and unremovable from the device. Kind of stuck. @Wolfgang Bauer I did delete the device from MI and then had them re-enroll. I see the device but it's not talking to MI as it seems that it has remnants from the prior enrollment.
if all other devices with the same configuration and location work I would recommend a wipe or DFU mode iOS reinstall and then reenroll
Thanks @Wolfgang Bauer I think those are my only options at this point. Was hoping to not have to go that route but seems like that is the way to get it fixed so that i can re-enroll device.
*Thread Reply:* The H2 on Alexanderplatz is pretty good
*Thread Reply:* Hotel NH Berlin Alexanderplatz
I have configured Graph API in Mobileiron MDM and policies are working on iOS devices however it does not work on Android devices configured with AE.
What i have noticed is whenever i sign in to Microsoft apps,it gives a warning that it requires company app.Appreciate any assistance to fix this issue .
Have you installed the MS Company Portal App in Work Profile? It’s required for App Protection Policies on AE devices. You don’t need to sign-in to the portal app, just make sure it’s installed.
out of curiosity, how are people solving the issue with end-users not opening the MobileIron-client after a iOS DEP-enrollment?
*Thread Reply:* MI have a KB article on how you can deal with this: https://community.mobileiron.com/docs/DOC-7771
*Thread Reply:* We are looking at increasing the time window that a user has to launch the Mobile@Work app after DEP enrollment. MI recommended setting this at 1 week maximum. But there are customers who have it set to 6 months….
*Thread Reply:* okay, ive been in contact with MobileIron, and they said to be careful with the window due to not filling the database.. but having it set to 6 months sounds perfect 🙂
Send them appconnect apps, which they want to use/test. They will trigger the client.
I am unable sync emails on Xiaomi MI 6(OS 8.0) using AE.Settings crashes whenever i try to activate device admin for gmail.Anyone is facing this issue?
Xiaomi isn't an enterprise OEM, and they currently have little desire to change that.
Try getting logs (bug report) after it crashes but if you can avoid it don't use Xiaomi in enterprise
@Mathieu Maillet has joined the channel
Is Help@Work for iOS with Teamviever integration now part of Core 10.2.0.0 - any experiences yet?
COPE + Samsung scenario - We cannot use Gmail and configure it in work profile when it is in the private part already because of "leave all system apps enabled" via KME. Either we can't push the apps through managed google play to the work profile, or the apps lose their configuration (the exchange account is added and deleted)
It works fine to push Gmail and chrome via managed google play, and configure them with mobileiron when system apps are disabled but not otherwise. We can of course not deactivate all system apps, because then the phone becomes so user-unfriendly.
Works fine with NOKIA, huawei etc - any tips for samsung?
Does it make sense to create different labels for Email+ configs and the Email+ app itself?
*Thread Reply:* Only if you wish to have different configs for different user/device groups.
*Thread Reply:* Right, good point. I am thinking if this could cause issues where in some cases apps would end up without the config on the device depending how the order is within the Core queue? Also I can achieve that with Label A for Config A + app and Label B for Config B + app. I don’t see the pros. I have seen devices where Email+ drops the error „no config“..
*Thread Reply:* Yeah as @Almar Diehl mentioned--it’s usually best to keep the App+Configs under a single label, unless you have multiple configs for different regions, LOBs, etc.
I have configured Graph API to enforce DLP controls for Microsoft Apps on both iOS and Android devices however user can sign out and that disable all controls.Is there a way to limit sign out from Microsoft apps? Secondly,i can also login with my personal 0365 account so that i can bypass all DLP controls of my work account.Is there a way to stop multi identity on Microsoft apps?
*Thread Reply:* Hello,
Very good article for identity management in O365 apps on MobileIron
Android https://www.mobileiron.com/fr/blog/solving-office-365s-multi-identity-crisis-android
iOS https://www.mobileiron.com/en/blog/solving-office-365s-multi-identity-crisis-ios
If a user signs out then the corp data goes with it. You have to make sure that any app which has access to your company back end is a part of the mam policy set (eg, don’t use native mail).
And yes, there is an app config key you can enter into the mam policy which restricts non-corporate accounts.
IntuneMAMAllowedAccountsOnly
However I think this key only works if you are using intune for device management.
Ah, just checked, it’s a generic app config key you can use MI to deploy.
@Simon Hardy-Bistagne Thank you so much.It was much helpful. Please advise if we an we use variables in the Key values?
Android / iOS Key IntuneMAMAllowedAccountsOnly value: Enabled iOS Key IntuneMAMUPN value: $USERUPN$ Android Key com.microsoft.intune.mam.AllowedAccountUPNs value: $USERUPN$
This is for MobileIron Core. Also check out: https://community.mobileiron.com/docs/DOC-6583 and https://community.mobileiron.com/message/5895
Hey guys, should it be possible to copy/paste from unmanaged iOS apps like Messages/iMessage into Email+? There is a restriction to control this, right?
You can allow/disallow this via the Allow Unmanaged Apps/Managed Apps …in the iOS Restrictions Policy
IMHO - Allowing data to come in is fine. Letting it leave from managed to unmanaged is a no-no
Thank you Woody, makes total sense. Are you whitelisting certain system apps within the appconnect policy or container policy to not cut off every little piece of usability - just curious how other companies do it.
@MichaelM21 Honestly, anything that is AppConnect enabled resides in a container all of its own and is subject to AppConnect DLP controls (that was the original selling point for AppConnect)
If you just deploy Email+ (without AppConnect config/container) then it would be subject to the native iOS DLP controls I mentioned above
SOLVED - Hello. We cannot upgrade from core 9.7.0.1 to 10. Space disk is fine >20Gb all pre requisite are ok. /boot is fine. Gui KO and cli KO (as mentionned a long time ago). We passed to 9.7.0.2 but now impossible to go to 10. Message in upgrade.log « rpm -q mi-ec » failed 1 » . Connector service has been disabled Thanks in advanced case is open but take time.... and cannot find solution by myself
*Thread Reply:* Is this a hardware appliance or VM? Which version of Core 10 are you trying to upgrade to?
*Thread Reply:* It is a vm. So 9.7.0.2 to 10.0.0.3 failed.thanks
*Thread Reply:* @SebastienP When do you observe that error? During the staging before the system reboots, during the attempted upgrade, etc? Have you stepped through the database validation and received a successful outcome?
*Thread Reply:* On reload and written into upgrade.log file. Cli don’t output failed. Database seems to pass because schéma is validated in 9.7.0.0 « no upgrade required »
*Thread Reply:* Dear all problem is solved. Boot was the problem. 462 Mb free space was needed. My partner moved partitions and extended boot partition. It was written in the log but we did not catch it onto the video
Guys we had to move Apps@Work over to 9443 because somebody enabled Mutual Auth in the settings on an old Core version and this can‘t be disabled anymore (there is a KB article for that). Problem is that we can‘t open Apps@Work on Android (device admin enrollment) anymore due to an SSL issue!? iOS works fine. No idea with SSL cert is relevant here, probably the SCEP for Mutual Authentication. Since it is a system config, no label is applied.
*Thread Reply:* I used port 7443 without issues. As far as I know mutual auth with Android Apps@work is not enabled until Core & Client 10.2 Is it your case?
*Thread Reply:* M@W 10.2 is for sure needed. Not sure about Core 10.2 as a prerequisite.
*Thread Reply:* Ok I might consider upgrading to Core 10.2.0.0. we cutten have 10.1.0.1
*Thread Reply:* Solved - our Firewall Engineer messed up the rules so the user cert somehow got stripped due do SSL inspection feature. Weird that this affected only Android!
What certificate do you get when browsing to port 9443? With mutual auth, the devices must also present a client/identity cert. after enabling mutual auth, did someone configure the necessary steps? See the MI docs
*Thread Reply:* Browsing 9443 brings me the external trusted Portal certificate from Core.
*Thread Reply:* Only what is described in DOC-7604
*Thread Reply:* Check out page 203 and further of the Android device guide for Core 10.1 or higher and make sure to read and configure all that is needed. For instance: However, Apps@Work for Android uses mutual authentication only if you do both of the following: • Select Certificate Authentication at Apps > Apps@Work Settings > App Storefront Authentication. • Enable the mutual authentication setting at Settings > System Settings > Security > Certificate Authentication.
*Thread Reply:* Also read the paragraph “Migrating Mobile@Work for Android to use mutual authentication” See: https://community.mobileiron.com/servlet/JiveServlet/downloadBody/9349-102-2-33162/CoreDeviceMgmtAndroid10200_Rev17Jan2019.pdf#page197
*Thread Reply:* Thank you @Mark Vonk .. checked all these settings yesterday afternoon and everything is setup like the way it is described. @NicolasR We use Core 10.1.0.1 and M@W 10.2. Will do further troubleshooting today
#FoodForThought @MichaelM21 … the need for Apps@Work can be eliminated by Android Enterprise. Just use that Google Play store, yo!
*Thread Reply:* You are absolutely right Woody, but I have still 200 zebra devices without GMS on them, so no AE possible 😢
*Thread Reply:* I’m fairly certain Zebra enables DO based enrollment outside of GMS through StageNow
*Thread Reply:* https://developer.zebra.com/thread/35648
*Thread Reply:* “Device Owner is supported on AOSP and have the Device Policy Manager APIs available to take advantage of OEMConfig. However, Google Play services APIs are not available on AOSP devices.”
*Thread Reply:* So you can use AEDO with AOSP on the Zebra Android devices but you obviously can’t distribute LoB apps through Managed Google Play since there are no GMS features
*Thread Reply:* You also can convert Zebra devices between GMS and AOSP if you really needed to.
*Thread Reply:* Wow 😮.. that is news to me! Thanks Matt, I will take a look at this. Zebra :zebra_face: is a pretty fresh topic for me! 😨
Is there no option to detect if an NDES server is down? SCEP config had the status failed because NDES was not reachable, but it looks like there is no setting for this within the system event - everything checked in the system event but no event triggered for that - every other event works within the same system event
Anyone using the Apps@Work container app with current versions of Core? I have read the documentation how to implement this - a lot of steps.
Yup, setting it up next week for a customer too
A lot of the steps only have to be done one time. Once done, you only to keep it up to date, by downloading the new version and signing it again. All the Apple Dev steps aren’t needed anymore as you already have the required. But you should also remember the signing cert will expire and needs to be renewed.
Ok thanks.. Then I might have a closer look again tomorrow. Gotta get an Apple Developer account though, currently I don’t have one 😊
Make sure to get the enterprise dev account for $299: https://developer.apple.com/programs/enterprise/ That is needed to sign the apps for in-house distribution
@Michał Kacprzak has joined the channel
hi @here can on prem configure outlook app on iOS?
@macbentosh a couple of documents for you to reference - 1) https://community.mobileiron.com/docs/DOC-1806 2) https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/outlook-for-ios-and-android-configuration-with-microsoft-intune
@NicolasR anything i need to do on the sentry to allow it?
Outlook supports CBA. But MobileIron does not support Outlook from a Sentry perspective: https://community.mobileiron.com/docs/DOC-1806
But it does work, but only with passthrough (ie username and password auth). CBA that Outlook supports is not the same as CBA with Kerberos constraint delegation (which is what Sentry does)
And you will have to manually allow every device for the ActiveSync connection on the Sentry
Not a fan of using Outlook with on-premises Exchange. I would advise native mail apps with on-premises exchange or Outlook with Office365.
I don’t even see a way to authorize it in the activesync area @Mark Vonk
If you do not see your device, the device is not connecting properly to the Sentry. Either the configuration on the device is wrong, but I expect your Sentry is already set up for Kerberos constraint delegation and thus requires a client cert. if outlook does not present a certificate, the connection is closed due to the failed handshake and your device will not show up in the ActiveSync connections on the Core.
Ok, so you will have to target that Sentry from your device as the Exchange hostname . If it still does not work, you will have to read the Sentry logs and find the issue. And that is the issue you will always have as it’s not supported; Mobileiron does not support Outlook and Microsoft does not support 3rd party reverse proxies for Exchange (ie the Sentry). So as far as I am concerned it’s not a valid option from an enterprise perspective.
This message is for Core customers on Android devices.
Google has announced end of life of two services that will affect customers with Android devices under management.
There is no impact to MobileIron Cloud. MobileIron Cloud already supports Firebase Cloud Messaging (FCM), and the HTTP batch endpoint upgrades will be performed by MobileIron before the end of life.
Google Cloud Messaging (GCM)
Mobile@Work and MobileIron Core relies on GCM today for push notifications to Android devices. This allows enterprises to perform a forced check-in, apply direct commands (like lock and unlock) to Android devices. Without GCM, these actions will not be applied until the next device check-in.
Impact: After the EOL of GCM, any MobileIron Core servers will not be able to reach Android devices until a scheduled check-in is triggered. This affects all Android devices managed by MobileIron - device admin, managed devices, work profile and Knox workspace.
End of Life date: As soon as April 11, 2019.
Mitigation: MobileIron will be introducing Firebase Cloud Messaging (FCM) with MobileIron Core and Mobile@Work Android prior to the GCM end of life. MobileIron Core offered FCM support in version 10.1, and Mobile@Work Android client will introduce support in March 2019.
Note that Mobile@Work Android client can ONLY support FCM or GCM but not both protocols, so once the March 2019 Mobile@Work client is released, any Core servers before 10.1 or earlier will no longer have push notification access to the managed Android device.
Recommendations: Please update MobileIron Core (to MobileIron Core 10.1) before the end of March 2019. When Mobile@Work is updated in Mar 2019, please update all clients to that version.
Google HTTP Batch Endpoints
For Android enterprise devices (managed devices, work profile, managed devices with work profile) using apps and app configs delivered from Google Play, MobileIron Core relies on APIs from Google Play using JSON-EPC and Global HTTP Batch to perform bulk operations such as app installs, delivering app configs and other operations. The existing APIs are being deprecated in favor of new endpoints by Google.
Impact: After the EOL of the existing batch endpoints, any MobileIron Core servers 10.0 or earlier will not be able to perform bulk operations on Google Play such as push installs, app config updates, and others. This affects all Android enterprise devices - managed devices, work profile and managed devices with work profile. Device admin and Knox workspace deployments are not affected as they do not rely on Play EMM APIs.
End of Life date: March 25, 2019
Mitigation: MobileIron Core was updated to be compatible with the new Google endpoints for batch operations at the end of Q3 2018. There is no Mobile@Work dependency.
Recommendation: Please update to MobileIron Core 10.1 before the End of Life date. http://pages.mobileiron.com/wI9HWCcOl0010tIG0070S04
How do I have to add a Sharepoint correctly within Docs@Work? If I add the fqdn of the Sharepoint like https://sharepoint.domain.com I get access, but I don‘t see our relevant shares like https://sharepoint.domain.com/managment/files.. Is there a way to map the root fqdn and still browse every document within Docs@Work? If we open up our Sharepoint in a browser we can search for every document, but not within Docs@Work. Do I need to enable webview within D@W?
Hi, do you know if MobileIron can manage phones in Windows 10 IoT? and if so how? if you have any examples I am interested
*Thread Reply:* So, are these machines running the Windows 10 or Windows Phone platform?
Might anyone know if the recent TLS changes also apply to the connector?
@Nafes Choudhry has joined the channel
quick semi emergency question for @here how do you force a quarantine?
Create a compliance rule / group that put a device in quarantine when the Status = lost and apply to all the devices. Then select your device and set the lost mode ;-)
so weird locked both of her devices but it only q’d one…
it shows both devices in the condition
(“common.status” = “LOST”) AND “common.retired” = false
any idea why it wont kick her other device in?
A device that was not lost was shown in the result of the compliance rule?
Hello, do you know if there is a way to authenticate a user on a proxy after tunneling on a sentry, kerberos certificates ... ?
*Thread Reply:* You can just add Context header but Context Header doesn’t work with TCP Tunnel and IP Tunnel
any tips on how to block all devices on or off network from hitting a URL?
why does mobileiron force the limit adult content when i just want to block one url?
It’s not Mobileiron; this is how the content filter payload works. Check it with the Apple Configurator or the Apple configuration Pauli’s documentation. When you want to blacklist URLs you must use the built-in Limit adult content setting
The Configuration Profile Reference does permit a list of blacklisted URLs. MobileIron chose not to implement that. However you can create your own config profile and distribute that if you like.
Are you sure? The blacklisted URLs are possible, but only with the adult content setting. This is exactly like Apple Configurator works also.
Aww, @Mark Vonk, just because Configurator can’t do it, doesn’t mean it isn’t possible!
You can edit that .mobileconfig file to your liking, and install on any supervised device.
How can I increase the timeout for Core Admin Portal on Core 10.2.0.0? Seems a bit shorter than with previous versions.
*Thread Reply:* You can change it in the system settings to 90 minutes.
Hi, i've a question about APIv2... I try to get user upn + custom user attribute. i have this API GET call, but i does not receifed any content... has someone an idea? https://[COREURL]/api/v2/devices?adminDeviceSpaceId= 1&field=user.displayname,custom.user.[Attribate Name],user.ldap.upn&sortField=user.display_ name
Thanks, the issue is resolved... It's a XPOST query... 😛
Has anyone here deployed Azure information protection with Mobile iron MDM?
*Thread Reply:* @NicolasR HI,iOS users are unable to open protected documents when App protection policies(Graph API) are applied.We are using iOS native mail client and we also have Access(AasS).Also,i am facing issue configuring policies to stop multi identity .I have configured values as shown below, IntuneMAMUPN --- $USER_UPN$ intuneMAMAllowedAccountsOnly ---Enabled
*Thread Reply:* @NicolasR Are you using Outlook or any other email clients on devices?
Hello,
Did anyone knows if it is possible to revoke certificates of a specific list of users (csv or label) with API or Assemble ? We just need to regenerate the certificates because of users’ UPN format change. The certificates are issued by an external authority (NDES). Thanks you
If the UPN changes, the Core should pick up the change and generate and push new ones. What are you after by doing it manually?
Depending on the use case, it seems you can use Assemble to do it: https://help.mobileiron.com/s/feed/0D53400004dlW8kCAE
Hello Mark, thank for your answer. Apparently, Core is regenerating certificates pretty randomly (colleague feedback). Our customer need more precision in his timing. I don't know if it's just me but i cannot open your link on assemble (Error page : Chatter is not enabled)
The link works for me, just opened it on a different device. But MI is busy moving to the new system, so I guess some things don’t work well yet.
Go to help.mobileiron.com and search for “Assemble/API - Revoke certificate from core”
In the comments (last one) you will see a comment with a working script (somewhat).
If you only change the UPN, you should be OK with Core. However, due to the nature of the LDAP implementation in Core, if you change more AD user object attributes, some things can break. For instance if the CN changes of a user object (last name changes for example) the relationship between the device owner and the LDAP object is disconnected. So in that case, MobileIron will never update the device if anything changes for that user (group membership, certificates, etc.)
Hello MI Team, Anyone now how to force a LDAP Sync on Core ? I have a 30 Sync intervall but i need to force it for testing purpose. Thanks 🙂
*Thread Reply:* Devices & Users > Users > Resync with LDAP
*Thread Reply:* Nice, was looking on the Service > LDAP tab 🙂
you should monitor the sync on MICS in case you reach the sync threshold set in the ldap preferences (if you enabled sync discard).
FYI, since KB move, you can bind AE here: https://help.mobileiron.com/s/android-enterprise-enrollment
Ah, okay. Looks like they followed the trend and shifted everything over to help.
Everything is now on Salesforce. Helps with better search engine they said and link to cases
I want a label with all ips starting with 10.
So you want an advanced search label with wildcards. Interesting, but basing labels off of IP is tough. Since the devices only check in every 4 hours, you’ll have devices that are still in the label for hours after they’ve left that network.
I don’t remember if wildcards are supported in advanced search, and I can’t test it where I’m at. Anyone else?
Sure : “common.ip_address” starts with “10.”
"Starts with 10." Should work if "starts with" is a valid parameter for the IP address
I’d forgotten “starts with” How quickly we forget....
sorry should have been does not start with 10
either way past that….How do you set it so that per app vpn only happens when they are off the network?
In the Per App VPN connection configuration. Don't need a label to do that... Besides that, a lot if home networks use 10.** so that would fail anyway
And the delay would kill you. You’d be on the corporate network for several hours before the policy changed, then home for several hours if it changed back.
Any way you can convince your network guys to shunt all mobile devices to an “internet only” connection? That way you don’t have to worry about personal apps on your corporate network.
what does mobileiron offer in the way of reporting?
@macbentosh in general, or something specific you’re looking to obtain?
not sure..Just got told to ask MI about a reporting system…
*Thread Reply:* Multiple reporting methods depending on your needs from the most basic one to the most advanced. From the simpler to the best/complete reporting experience 1 - Embedded dashboards 2 - Assemble (kind of End of life by the way...) 3 - Reporting Database + BI Tool 4 - API - requires you to build your own scripts 5 - Third party IronWorks product
*Thread Reply:* BTW, I know they may be trying to EOL Assemble… but there is still a lot of that deployed/running. Might be in their best interest to maintain support if they’re being mindful of customer satisfaction
*Thread Reply:* at least MobileIron is not providing new features on that
*Thread Reply:* @NicolasR that’s understandable. While it wasn’t perfect, it certainly helped with a fair amount of cleanup and automation, etc
*Thread Reply:* Also, they might need to expose more in the API and document it better to be a complete replacement for Assemble.
*Thread Reply:* They need to both incorporate more features from Assemble into the base code of their products AND expose similar functions (and supporting documentation) in regards to the API
*Thread Reply:* Once Jack Zarris left, there really was no one who could maintain or add new features.
@macbentosh You have the dashboard view, which gives you a snapshot in time - this moment’s stats for the various charts/graphs in that page
@macbentosh You have MobileIron Monitor, which gives you CPU, memory and disc performance data for operational network/infrastructure monitoring.
@macbentosh You have a syslog feed for importing into your existing SIEM
@macbentosh You have a Splunk module for doing the same into Splunk
Other than that, you have to look at ecosystem partners, e.g. IronWorks, or roll your own with the inbuilt APIs.
Full disclosure - we are the organisation behind IronWorks, our senior management and operational intelligence reporting solution for the MobileIron platform.
Sorry, I’ve just realised I should have replied as a thread.
sent my boss the info for ironworks
After finally 4 people trying to convince him to go work with ironworks, macbentosh will take it. @Jason don’t forget our sales bonus 😂👌
Does anyone know how I should request a username/password for being able to download MI software updates? I have a couple of (v9.2.1.5) Sentries in our isolated zone that refuse to update when I just click on the 'Check Updates' button. Therefore I want to try via CLI but that requires a username/password. I did check with our support partner but they don't seem able to help me.
*Thread Reply:* Just create a support case and they will send you the credentials.
*Thread Reply:* So from where you downloaded the sentry iso impage file. ? For downloading the image file on your computer, i am sure, it prompted to enter the username and pwd to download the software. You can use that same credentails to update into GUI or CLI. But make sure correct port is open.
*Thread Reply:* When you bought MI licenses they sent you download credentials. Do you know who is the main contact for your company? If not just create support case with MI. But good partner should help you with this situation.
Does anyone know what is the highest number for Passcode Expiry on Core, can‘t find anything in the guide. Trying to use 30 days.
*Thread Reply:* In the security policy you mean?
*Thread Reply:* Ah sorry was not clear enough - within Core Admin Portal under Settings / User & Devices / Registration / Passcode Expiry (hours)
*Thread Reply:* Maximum is 4320 hours (180 days).
*Thread Reply:* Thank you Almar 👍:skintone2:
hello folks, might anyone have powerpoint/similar enrolment guides for MobileIron Cloud, for iOS DEP/non-DEP by chance?
I have no access to iOS devices, and no one has created any internally.. so figured I’d look to this fine community 😎 (@here)
There’s a demand for enrolment guides utilising DEP also.. 😄
What do you mean with guides? Typically, the guides I have (made) are customer specific. So not really to be shared
*Thread Reply:* Everything up to the point of putting in credentials. Screenshots of the setup of the device. I appreciate it’ll vary with DEP per enrolment profile, but I can write around that.
*Thread Reply:* This issue is, for example, that the Apple Assistant will vary also, on the choices made. Some companies will skip certain screens, others will not skip them. Screens like the MDM enrolment will show company names. Other documentation will show how to connect to the corporate Wi-Fi (if needed). hence, there is a lot of customisation typically.
*Thread Reply:* well with a non-DEP guide I can remove per the DEP profile and hopefully that’ll be close enough 🙂
*Thread Reply:* We haven’t met before, but I only focus on Android normally 😛
little crud due to how confluance exports it
Is there a way to modify MTU size for Sentry?
Plenty of stuff in the DEP center of excellence
Is there any configuration or plist for iOS and Android so that we can force users to login to our ‘On Premise’ Sharepoint? server
Afaik the Sharepoint app does not have managed configs (android or iOS)
Docs@Work problem; When a file is open from a PC, it cannot be opened as "read only" in docs @ work. Does anyone know about a solution to this? Runs Sentry 9.2.1 and Docs @ Work 2.9.0.59. error on Sentry server "STATUSSHARINGVIOLATION" and "ERROR Cannot connect to CIFS" in Docs @ Work. Fileshare is Linux (samba) CIFS and SMB 2.1 support.
Is there a way to use Intune Conditional Access for Exchange/Sharepoint online with MobileIron enrolled devices e.g only devices enrolled in MobileIron can access these services? I doubt it
otherwise Microsoft doesn’t allow MI to do this
It also depends on you authentication setup. To be able to deploy Access you need to have federated authentication (hybrid setup) with AD FS or other IdP. Access will not help you in case of Seamless SSO or Azure AD accounts only.
Looking only for a way to leverage the built-in Conditional Access Policies with our MobileIron Enrolled devices, which looks to be the case that this is not possible 😜
And with Access, we use the Conditional Access Policies with Access of course, not with Azure Conditional Access. I get it that Access can do it.. which I believe is the only solution for MI enrolled devices (or also other EMMs)
Yep, there is no other option for MI. VMware WSO has Identity Manager for the same purpose.
alright @here we are doing 802.1x wifi how does MI get the users new password when using the $PASSWORD$ variable for the config?
1st: Please don’t use $PASSWORD$ feature... I don’t even know how that can still exist 😱😆 2nd: The password is hashed/sent to CORE and stored on CORE during In-App registration process. The password is updated when a user successfully logs in to the CORE Console either on the Admin side or User portal side
you should better use cert based authentication even if it’s a Local CA
that far more secure and smooth for the end-user
and how would I go about setting that up…That would have to be allowed by our network team correct
Well, depending on the 802.1x server it is quite straight forward setup
but yes, they need to trust your CA & check your CRL (optional)
See if you’re entitled to it. There’s a clean integration between it and Core/Cloud
prob can just need asomething going today so peoples accounts stop locking out
Well, if WiFi isn’t functioning on a device it’s going to fall back to Cellular. Do most of these people have cellular service?
If so, send an email reminding them to change their password for that WiFi profile
If they don’t have email--Perhaps start a call tree? 😆
going to keep $password$ for service accounts with passwords that dont expire
You’d most likely need to update the profile and push it with a null value for P/W
Is it a singular config for the entire joint, or split up based on platform/ownership/etc?
in CORE is you have a static password that you want to set and send to the device you can use $NULL$ variable and in the field a the right of the password field you can put your password in.
but it’s the same password for everyone who gets the config
So @macbentosh is the profile that’s going out specifying the user’s ID (e.g $USERID) and $PASSWORD$, but you now want them to have the ability to enter their password by hand (because the stored password is failing)?
*Thread Reply:* That's going to be up to iOS to manage. You get this behavior with native email because iOS is smart enough to say "hmm...the password isn't working, let me ask the user." Mobileiron doesn't do it.
Ios would need the same behavior for wireless authentication passwords, so when they expire, the user is prompted.
I am unable to open AIP protected documents using AIP viewer on iOS devices.I am using Per App VPN and using Split tunnel on Access(AasS).The error code i receive is FSCRTERRCODEINVALID_LICENSE. Has someone came across this issue during Microsoft AIP deployment using MI MDM?
@mahiroux is the license key being pushed to the AIP Viewer via MobileIron? Perhaps the one you’re pushing out is invalid thus the error?
@Woody I am not pushing any license keys for AIP Viewer App.Other file types such as ptxt or pjpeg are working fine.
Does AIP Viewer have to connect to a licensing server to validate/utilize that feature?
@Woody I am not quite sure about that.I had logged a case with Microsoft.As per their feedback,this seems to be a known issue however i could not digest that completely.
okay @mahiroux. Was this configured prior to engaging access (and did it work)? If yes, did you still have the per-app VPN engaged at that time?
It was working with access in place with per-app VPN and split tunnel.
I am currently attending AIP live webinar and posted this question and the answer is below,
er, #ItsThemNotYou
*Thread Reply:* I expect you mean SIEM. What SIEM software do you use? Generally speaking MI supports Syslog forwarding.
*Thread Reply:* yes SIEM….still early….On a MONDAY 😩
*Thread Reply:* IBM QRadar AFAIK doesn’t have templates for MobileIron. You need to use custom parsing. Except of that it is just simple config in System manager = enable Syslog forwarding + define what should be forwarded. For Sentrys you need to enable Audit log forwarding via CLI.
any idea why compliance actions show a device in the filter but not when viewing the violations?
Because you use the old fashioned compliance triggers
Compliance tab is for Compliance actions rules/dedicated menu
I am pretty sure this is a stupid question, but is there a way to trigger the start of an iOS app remotely?
*Thread Reply:* You can send an APNS message to wake it up, but the app needs to be launched at least once by the user for that to work.
*Thread Reply:* The only way (I am aware of) to launch some app is in single app mode after device restart. Otherwise not possible with any MDM.
*Thread Reply:* If the app supports the URL method, you can call the URL to open the app, but:
*Thread Reply:* Yep, user interaction is needed.
*Thread Reply:* Single App Mode would do the trick (but will lock the device into that app)
*Thread Reply:* And how would you do it with the URL method? API call? Assemble?
*Thread Reply:* The Mobileiron app would need to be set up to process a command to call the URL, which it is not.
*Thread Reply:* As far as I know, there is no way to force an app to open on iOS. We (lookout) have built some tricks with a VPN service we install on the device, but we can't force it to be opened.
Hello all, today we have issues with Apps@Work on Android devices, when launching it we get a network error -1 or other codes. This does not happen on iOS. any ideas ? Could not find much on MI Help, Core 10.1.
*Thread Reply:* This is error is caused by Chrome v73.0. MI have told us that their should be fix coming in a future Mobile@Work client release. Our devices are enrolled as AE Work Profile, so we’re getting users to use the Managed Google Play Store...
*Thread Reply:* arghhhh thanks a lot. unfortunately, it also happens with some Chrome 72 apparently. but the tip is good. the devices with the most issues have Chrome 73.
*Thread Reply:* @Pierre if happened with Chrome 72, please open case with logs!
*Thread Reply:* already done Nico 🙂 of course
*Thread Reply:* device and showtechs
MobileIron Core CBA for EAS with Office 365 without Sentry - the MI guide for Integration with O365 states that the values of email and user-id within the exchange config have to be $NULL$ because these values will be used from the cert. But using $NULL$ within Android Enterprise Email+ won‘t work - brings up a configuration error! So keep $EMAIL$ ?
$EMAIL$ for UserID and Email address should work just fine. Even when it’s actually retrieved from the client cert. It does not interfere.
Perfect that is what I thought. Just confused me to remove it from the exchange config.
Hi! Some android user get the error message: Security Alert. There is a problem with the provided server certificate. We are using MobileIron, any thoughts
Is the port 8080 for Local CA CRL still valid? Getting a connection refused
In the past i know that you some times got https 443 on the local ca CRL.
Yes well we have plenty of user certs where the CRL points to 8080, which looks like it is not reachable. Trying a telnet from the same Core subnet brings me a connection refused. I need the CRL for CBA with O365 EAS to be reachable, right?
*Thread Reply:* For this customer we are using MobileIron Cloud
*Thread Reply:* Yeah im pretty sure it needs to be reachable. Sounds like you need to create a ticket. I just went in and looked on my test server and my CRL points to https not http. Same if i create a new one.
*Thread Reply:* Ahh ok im talking about on-prem
*Thread Reply:* I think its different on cloud..
*Thread Reply:* So you see https in the CRL, not 8080?
*Thread Reply:* yeah, on services->and then selecting the local ca i created.
*Thread Reply:* Ok.. Me too, only I have 8080 within the URL..
*Thread Reply:* Ok, then im out of answers 😞
*Thread Reply:* Thanks so far, I will raise a ticket with MI.
*Thread Reply:* You should be able to disable port 8080 and force all of those connections to HTTPS. In the system manager, under ports is where you can change that. I'm assuming it would then update the CRL to be available over 443.
*Thread Reply:* There is no option within the System Manager to disable 8080 - I haven’t seen anything like that on Core 10.2
*Thread Reply:* Disabling 8080 has always been an option, it's recommended for production deployments to move those communications to 443.
*Thread Reply:* This is from an older MobileIron install guide, but...
*Thread Reply:* Checking Port Settings The default provisioning port is HTTP/8080. If you have signed certificates, you can select HTTPS/443, instead. To change the port settings:
*Thread Reply:* Yes I agree but provisioning is enabled for 443, that is not the point
*Thread Reply:* The point is we have to use a new local CA because the old one is still 8080 which cannot be changed. So re-enroll 12.000 user certs because of that.
*Thread Reply:* Ah, I guess you're right. I hadn't thought about the fact that the CRL is encoded in the certificate. Yep, you may be stuck
We are seing issues with Assemble after having activating SAML federation on our CORE. Some reports work, but most of the device reports are not working anymore. Anybody having the same issue ? We use a local service account on the core for this and it has all the rights.
*Thread Reply:* Known for reports that need UI access and not only API
*Thread Reply:* You need to work only on assemble scripts that use API only (try to convert those scripts to API v2 in assemble)
*Thread Reply:* uuum ok, i have to check how to proceed.
how can I get cloud to stop asking for an app store password
*Thread Reply:* You mean on the device when the app is installed?
If that’s what you need, look into device based vpp.
Has anyone a feature comparison between MobileIron VS Airwatch VS Sophos VS MAS 360?
*Thread Reply:* Devil is in the details… these comparisons are usually quite misleading. It all depends on the specific use case and I would always recommend to do PoC for any bigger/complex deployment.
feature comparison is in the best case not up to date, in worst case incomplete...
you can compare on specific topics like Android Enterprise
these products now I have a large amount of feature each, so comparing becomes complex
Anyone run into any weird quirks or issues when upgrading your sentry servers to 9.5? I'm about to do this to 3 of our sentry servers this Friday and for the most part they upgrade fine, but every now and then there's some weird issue that we run into that involves MobileIron support. So just asking around to see. Thanks.
*Thread Reply:* What you mean by “weird issues”?
*Thread Reply:* Our last core upgrade completed successfully but the MIFS never went back online. We had to restart Tomcat in order to get it back online. According to support, it was a bug. Our last app sentry upgrade messed up our cloud seviced apps in MobileIron Access. Turns out it that some our ciphers were removed so we had to put them to where they were and made sure they were all prioritized correctly. Just weird issues like that.
TLS 1.0 & 1.1 are removed by default in Sentry 9.5...
Is there a restriction for KNOX Workspace to prevent the export of business contacts from the workspace? (MobileIron Core)
*Thread Reply:* Known issue for Samsung devices, the fault is in Samsungs application of GMS.
*Thread Reply:* Do you have a reference for this?
It does not really matter. Assuming KNOX Workspace, the container. With Core < 10.3 (and M@W 10.3 both in beta) you can’t use KNOX Workspace (container) on AE, you can only use some KNOX device API’s (former SAFE) to turn on/off features within the AE work profile. As he mentions KNOX workspace, I assume it’s the container and thus based on Device Admin. Either way; for both cases, the APIs implemented in Core are the same. I am not sure if there is a KNOX API to disable this, but even if there is, this is not implemented in Core.
Has anyone hear heard of any Apps@Work UI improvements for MI Core? Our end users hate it and I've been asking MI for YEARS to make it better. All they did was add a spinning circle when you tap install. Is MI Cloud's Apps@Work any better?
Does anybody urgently know how to disable an ACL set in a Core System manager? Not a Portal ACL, but one of the traffic level ACLs. One has been added accidentally that is blocking all traffic, so need a way to disable it from the CLI :-(. Any help gratefully received...
*Thread Reply:* Have you tried “service iptables stop” ?
*Thread Reply:* Login with root access (misupport) and modify the file /mi/config-system/startup_config/systemconfig.xml
*Thread Reply:* Thanks Almar, stopping ipstables worked, tested it on another environment. In this particular case though the changes weren’t Saved, so getting the VM rebooted wiped out the ACLs and we were back to normal.
On the unsupported access, because the firewall rules were in place we could not SSH to the server, even from the VMware console to the local IP. Don’t suppose you know how to get access to the root prompt using the ‘devshell’ command we see MobileIron Support use do you? For future reference :-)
*Thread Reply:* You can request your own DevShell password. See: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxoFCAS
Anybody know of a urlscheme for Docs@Work by the way? Want to be able to open files on COFS shares, so a URL scheme like
*Thread Reply:* I do not know the url scheme but maybe MobileIron FilePass can help (announced for next week, currently iOS only).
*Thread Reply:* @Almar Diehl It is a good news indeed.I have registered for Beta testing.Out of curiosity,can i open an AIP Protected document from docs@work?
*Thread Reply:* Thanks Andrew, you tested that and it works? Nothing in the MI docs about it, but I feel like it did exist :-)
*Thread Reply:* I know that's the syntax, but I can't test it at present.
*Thread Reply:* I was a MobileIron sales engineer for five years, so I've got experience. 😄
If the user permission „register device“ is not checked, the user should not be able to enroll a device without the admin having created the device in the first place, right?
Yes and no: only if you require a PIN for registration. If you do not require that, any user with the User Portal permission can register a device
Hi everybody🙋♂️, first post here, I hope I can help and collaborate onwards. I need a little help here with the D@W on IOS. I have it working right on AE without any issue. I made it work in the past in other instances of Mi Core+sentry on IOS but last week I installed a new instance on 10.2 and something is not working, or I forget to setup something properly. I add below a few screenshots of my test environment. I installed Documents by ripple(smb client) in an iPad and assign the per APP Tunnel, and it can connect to the CIFs share, so it must be something on the IOS D@W. I tried with CIFSANY and TCPANY non of it makes any different. Comments are welcome. Thanks
*Thread Reply:* Hi Nicolas, I know about CIFS 445, I think I change it during one of my desperate tests. I'll try with 445 again and report back, Thanks
*Thread Reply:* Nicolas, one question, I need to use CIFSANY or TCPANY?
*Thread Reply:* I read in the documentation about IOS that it only works if you use TCP_ANY for the tunnel APP and app connect so because of that my confusion
*Thread Reply:* Tunnel app is TCPANY but Docs@work use embedded AppTunneling (not requiring Tunnel app), for CIFS servers it’s CIFSANY and for WebDAV/sharepoint and others it’s ANY
*Thread Reply:* Ok, I'll try to redo my setup base on that.
*Thread Reply:* And the CIFS connection is finicky. All of the other connections are simply proxying traffic. The CIFS connection is also translating CIFS traffic into Webdav so the mobile device can consume it. It's why CIFS_ANY exists, and why it's mandatory.
*Thread Reply:* Just to check, as you said it does not require Tunnel App, I don't need to add the tunnel app profile on the per app VPN inside the d@W setup, right?
*Thread Reply:* Thanks, it works now, it was the port error. My bad.
Hi folks, I hear there’s an IP change for MI Cloud on the horizon (if not already). Does anyone have any info on this as I’ve not seen anything outside of NA2
@Jason Bayton i received an email about EU servers
"If you use IP-based firewall rules for MobileIron Cloud https://eu1.mobileiron.com/ in your network, you must take action before May 6th, 2019 to avoid service interruptions."
Might you have the link to the details on it please?
PM me your email and i'll forward the email.
anyone here configure MobileIron Access as a Service for Azure SRS?
*Thread Reply:* I have a customer who do, what’s the question?
*Thread Reply:* did you have to enable activemq manually on MI Core for this to work? Initially we though it was firewall rules but MI just came back that we need to manually enable something on Core 10.2 as well
@Jacques Aing has joined the channel
Guys we are using Intune MAM now, but we want to implement MobileIron MDM solution for our organization requirements
We want to represent use case MobileIron vs Intune MDM
*Thread Reply:* Complex as we don’t know your use case but anyway I’ll try:
*Thread Reply:* Also, agnostic Conditional access and built in Mobile Threat Defense technology
*Thread Reply:* Thanks a lot for your reply
*Thread Reply:* But conditional access is also in intune
*Thread Reply:* We want to connect Android and iOS device to corporate network but the issue is those devices should be domain joined which I feel is complex In mobile device
*Thread Reply:* Another use case is we want to Integrate in-house apps and I know Intune MDM is slight tricky to accomplish this as it requires app wrapping and SDK
*Thread Reply:* Another use case is we want to implement this solution for plant users where issue is about network connectivity and we want to lock down device with in secur environment
*Thread Reply:* Another use case is our majority solution will be for Android , which means we have to make sure MDM should be compatible in all types of Android devices and I know Intune is not good in that
*Thread Reply:* Please help me with some valid points reason why MobileIron or any other MDM but not Intune
*Thread Reply:* But definitely our main focus is MobileIron
*Thread Reply:* I know MobileIron is really awesome
*Thread Reply:* I can only speak in terms of what I tested, before. During the design of our enterprise solution, I evaluate, UEM BES, Airwatch, Intune and Mobileliron core/cloud. It was a year ago, and there are a bast difference in terms of what features are supported at the time, how much intensive in terms of resources they are, and how the technical support works in each solution.
*Thread Reply:* In my case, my target mode to use was AE behind COPE. In this case Mobilieron core was the first solution to release such feature, and it end up being the winner in my evaluation, nut not only because of that.
*Thread Reply:* @System Admin about conditional access with Azure: Microsoft can only perform conditional access through apps that contain the MSFT SDK. No third party apps without SDK can use it (no way to put conditional access on Salesforce, Concur, Service Now, others...) If you have a cloud service it will require app changes to include the SDK which is complex and not ideal situation. Also, native apps like native iOS, Gmail, Chrome & Safari can’t be included in conditional access from MSFT. Only Microsoft apps (Edge, Outlook, Word, Onedrive...)
*Thread Reply:* In terms of supported features, UEM BES and Airwatch supports at the time more AE API calls than mobileiron, but the ones that are not supported by mobileiron are not “critical” in many ways. For example one that is not supported by mobileiron is the one that permits you to set the lockscreen message.
*Thread Reply:* About resources, Airwatch and UEM BES are quite intensive, as they are solutions based on top of windows server, mobileiron is base on linux(centos) and that for me is a point in favour. If you look at the numbers mobileiron core scale up in a very linear way, but BES and Airwatch are madness in terms of the hardware necessities.
*Thread Reply:* I have a customer with 120K devices on 1 core 😄
*Thread Reply:* and they are still going up and up
*Thread Reply:* About Intunes, I discard the solution, at first, because we came from an cloudbase(tenant) Airwatch solution provided by the telco where we CAN’T control which version we are using, and they control when and how the Airwatch is updated. That was totally insane, and I´m sure others have work here with the nefarious VSDM by vodafone.
*Thread Reply:* with Intune you are in the same boat, they update the solution online when they consider is tested and is ready for production environment, even if you are not ready to accept the risk
*Thread Reply:* And this is the same for all the cloud base solutions where you don’t control how they are updated.
*Thread Reply:* I suffer that before and I like to sleep well knowing my UEM is not going to be updated without being able to test the new version in advance, as you can do with the Mobileiron Core anytime.
*Thread Reply:* So in short, Intune does not support all AE APIs, is only cloud based, and even if Microsoft said is “free”(included with your o365 subscription), we’ll see in the future how it evolve, my point of view is that at a point they will fusion SCCM and intune.
*Thread Reply:* Thanks guys , can you please help me with the detailed reason why Intune is not better for in-house apps integration
Guys I need you input with MobileIron Access as a service (Delegated IdP) and how to quickly verify that access is working for managed devices and not working for unmanaged devices. -Core and Access connected -SCEP and VPN config created -Delegated idP in Access Portal enabled and configured.. The next step is to execute the Powershell script on the ADFS. But before that I would like to have a device prepared so I can test it. What would you recommend? Email+ with Modern Auth enabled? OneDrive for Business? Thanks for your input
*Thread Reply:* To test an unmanaged device it doesn't matter. If you've never done this before, make sure you're not doing it in production, as this will change your authentication flow for all of O365.
*Thread Reply:* I usually used onedrive or one of the office apps. Make sure the app in question is managed with the per-app VPN assigned to it, or it won't work.
*Thread Reply:* So I have to enable the VPN config used for Access within the App settings of the App? I only have a production environment. So I am looking for a way with the least impact for existing mobile devices. Since we use Del IdP Desktop devices are not impacted. I think I need to allow unmanaged devices within the Conditional access policy as well otherwise these devices will be impacted since they are not using Tunnel yet - of course within a maintenance window I can block the unmanaged devices
*Thread Reply:* Yes. the way an app is considered "allowed" is if the app is coming in via VPN.
*Thread Reply:* If you're setting up access as a separate IDP that's talking to ADFS, that's fine.
*Thread Reply:* If you change O365, however, I think O 365 only allows a single IDP for the domain. That kind of change impacts all authentication for office. Desktop, mobile, browser, etc.
*Thread Reply:* If it works fine, no issues. Access will pass all the desktop and browser traffic through.
*Thread Reply:* If you have trouble setting it up, though, no one will be able to access O365 until its fixed.
*Thread Reply:* With the Delegated IdP setup I don’t have to modify the Office 365 IdP since there is no trust between Access and Office 365 relevant. Create a federate pair in the Access portal for Del IdP only need the metadata from ADFS. And after that execute the Powershell script from Access on the ADFS. Well with adding the VPN configuration within the app I see a problem - what happens to all the devices which already use that app but not will not have the VPN config because they are not using Tunnel yet. Are they able to use the app without impact?
*Thread Reply:* And also: If I want to use Email+ for iOS which now supports Modern Auth, do I also have to apply the VPN config to Email+?
*Thread Reply:* as long as the policy isn't yet set to block unauthorized apps, they will continue to use it.
*Thread Reply:* You will also see in the access logs how many users are coming in via unauthorized means, so you can be sure that number is acceptable before you block.
*Thread Reply:* Ok got it, thanks. But coming back to the VPN confi which needs to be enabled in the app settings within the AppCatalog. If I enable the VPN config for lets say OneDrive for Business, since this is a global setting it will be applied for all devices. And since we have plenty of devices which will not have a Tunnel configuration hence no Tunnel VPN config applied to them, will the app still be usable for non-Tunnel users?
*Thread Reply:* If they don't have tunnel, the VPN won't work, but that won't break the normal function of the app. Once you set access to block unmanaged apps and devices, however, those devices will break, as those apps will not be "managed" as access sees it.
*Thread Reply:* Clear, thanks! 👍:skintone2:
*Thread Reply:* Regarding Email+: do I have to choose the Identity Cert for Access within the Email+ config and also apply the VPN config within the app? The documentation about this is very limited! 🤕
*Thread Reply:* No. The identity cert in the email+ config is if you're using certificate authentication for email access. That's separate from the certificate authentication needed by Tunnel.
*Thread Reply:* But I have to enable the VPN config in the app catalog for Email+? I am not talking about the KVP for login cert, but the Identity Cert from the dropdown menu
Is there a way to re-deploy the Apps@Work shortcut for Android if a user deleted the shortcut?
*Thread Reply:* I can not test it at the moment but if I remember this ok there is an option in the Mobile@Work client to re-deploy the shortcut.
*Thread Reply:* Yep, just checked. When you go to Settings in the M@W app there is an option to “Add Apps@Work Shortcut to Home Screen”
My new LDAP groups will not show the members on Core (no Data) hence no Filter labels apply! I have added all relevant groups within the LDAP configuration. If I browse the LDAP through the LDAP settings on Core, I can see all the members in Active Directory, but not within the Users tab (LDAP entities). Any ideas?
*Thread Reply:* Sync discard may have been triggered
*Thread Reply:* note that there is a change in the way CORE calculates the sync discard since 10.1
*Thread Reply:* Before: the percentage was applied to all the users synced in CORE Now: the percentage is applied to each group independently and stops the sync of all LDAP
-> We recommend switching to a number of user instead of percentage
*Thread Reply:* Ah good point. This should be in the logs. Can I disable the Sync Discard without any impact?
*Thread Reply:* Better switch to number of users
*Thread Reply:* depending on your fleet size but a number between 100 & 300 should be enough
*Thread Reply:* Ok but I can temporarily disable it to check if the sync works again, right?
*Thread Reply:* You can, even if switch to number of users will have the same effect, without the risk of having a real user impact in case of sync issues
*Thread Reply:* Bingo, right on the money! Thanks! 👍:skintone2:🍺
*Thread Reply:* If you can open a case to make Sync Discard feature great again it will help 😆
*Thread Reply:* VSP-47816 is the feature that changed the behaviour
*Thread Reply:* This change caused us a bit of grief. We’ve got a ticket open with engineering..
*Thread Reply:* not only to you 😉
Hello, we have an issue between iOS and the Outlook App. The iOS devices will be shown as Anndroid devices
The solution is, that the device will be blocked automaticaly...
Maybe don’t block Android devices? How very dare you 😅 This isn’t a MobileIron issue though, probably one for #microsoft so I’ll share it in there.
Outlook will always be blocked as the ActiveSync ID from Outlook will not be recognized by the Sentry as a registered device.
Hello, anyone came across using USER_CUSTOM attribute as the URL within Docs@Work for Android Enterprise? I am using the same attribute Within iOS and Android DA for Docs@Work and this is working fine.
Hello, I have an issue with Email+ for iOS during activation. The SSL handshake fails... Do you have the same problem here?
*Thread Reply:* I had that almost 2 years ago: it was and issue in checking CRL & validating the cert chain
*Thread Reply:* workaround was to allow untrusted certs or not checking CRL
*Thread Reply:* it should have been fixed since then anyway...
*Thread Reply:* If it's email+ that's failing, check the domain name it's pointing to using a certificate checker (Qualys has on that's on line)
*Thread Reply:* It will report back any certificate issues, and that may help troubleshoot.
*Thread Reply:* Thanks for your answers. The SSL certificate seems to be good and trusted (SSL Labs rating "A"). I don't understand why the Email+ activation fails... 😞
*Thread Reply:* this is something else 😉 https://activate-emailplus.mobileiron.com/index.php is another resource required for Email+ activation. I also had this one in the past and successfully fixed by playing with key value pairs... but not remembering which ones...
*Thread Reply:* Yes, I read the configuration guide 😉 I tried the key "emailtrustall_certificates", it does not work. I will check the other key-values
*Thread Reply:* Is the device able to reach the URL in the message? That URL (activate-emailplus.mobileiron.com) is required to set up email+. It hasn't even tried connecting to your server yet.
Is the device on LTE or wireless? If you haven't, try LTE. If you have custom VPN enabled, make sure the device has a route out to that URL
*Thread Reply:* @Boris W. did you used AppTunnel rules with Email+?
*Thread Reply:* or maybe per-app vpn with Tunnel?
*Thread Reply:* @Andrew Olpin the screenshot shows 4G 😉
*Thread Reply:* If your Email+ config points to Sentry, test if Sentry can reach the url.
sentry@sentry.acme.com# telnet activate-emailplus.mobileiron.com 443 Trying 107.20.172.67... Connected to activate-emailplus.mobileiron.com. Escape character is 'off'.
*Thread Reply:* The device was connected in LTE. With Safari, the URL is not accessible because of unsecured connection... (same issue on my PC). Nicolas, yes, I configured an AppTunnel Rule with my Sentry in the AppConfig. Thanks Martin for your suggestion, I will test that asap. 😉
*Thread Reply:* did you configured the AppTunnel rule on the Email+ AppConfig because of EWS traffic?
*Thread Reply:* because otherwise you shouldn’t
*Thread Reply:* Email+ connects to Sentry as ActiveSync client
MobileIron Access as a Service Delegated idP - the ADFS login page on a desktop browser will show a Active Directory button and an MobileIron Access button because of the trust added to ADFS with the Powershell script from the Access admin portal, so I guess this is normal right? But If a desktop user clicks on Access this will result in a failure because desktop traffic will not work with Delegated iDP. Can this option be hidden in the ADFS page?
*Thread Reply:* Look at the new “unmanaged device management” added in Access R30. This handles exactly this use case by allowing non managed traffic through del-IDP.
*Thread Reply:* Ok thanks I will.. Is this an option which needs to be enabled? Basically I don‘t want to send desktop traffic to Access. I thought this is the whole point of del iDP, but If a user can still choose Access this will cause a lot of headaches! Not sure if this is designed like that or I missed a configuration step
*Thread Reply:* Nope, you surely missed something. In the ADFS web theme you can select the user agent you send to access. Keep in mind that ADFS will not take the new .js script until you reload it through a specific command in PowerShell
*Thread Reply:* So you are saying I missed something within the execution of the PS script on the ADFS? I followed exactly what is in the guide! The only thing: I did not customize the mobile theme which the powershell prompted me.
*Thread Reply:* I’m talking about the few lines at the bottom of the .js script that you need to add. It’s part of the web page
*Thread Reply:* Not sure what you mean with adding a few lines. Can you point me to it in the guide?
*Thread Reply:* Wow thanks. Is this also relevant for Access as a service because these steps are not in the guide for Access as a service with del IdP I believe . this is the guide with Standalone Sentry..
*Thread Reply:* oh right! true... I’ll reach out the author 😄
Has anyone managed to deploy MI file-pass successfully.I doesn’t work me.When i am opening a word file from Docs@work, it flips to file-pass however it doesn’t show any option to open with a word app.
@pihlapuro has joined the channel
That was just me messing around in MS paint. Honest.
Somehow you got access to LinkedIn https://www.linkedin.com/company/mobileiron
Nicolas it's bad. Cancel it.
Regards, Everyone
Agreed. Saw it last night on LinkedIn and didn’t care for it but agree that it is time for a refresh.
The old logo was nice but seriously, when all the market got refreshed we needed that 😉
Change the old red to blue. Refreshed. Job done.
Exactly. No need to change something that works.. especially if it's result is dramatically worse.
That’s because you’re not used to it 😄 It’s just I feel it’s maybe too close to this;
Totally different. McAfee can write an M properly.
Also, is the reversed Batman intentional?
Or it's a 1 and it was struck bij Zorro 😎
The old one looks like a falling stock price.
Do we think Ojas is going to replace / update his tatoo?
*Thread Reply:* Well... I think he will keep it. https://www.linkedin.com/feed/update/urn:li:activity:6527601001661370368
*Thread Reply:* You two beat me to the joke!
Whats the deal with Core here? Happens after reboot and stuck for a while!
Probably from a cronjob during bootup. It's systemd logging a root logout. You can suppress it but I'd leave it be as it's harmless and you don't want to make config changes.
Does anyone have an app/tool which you can control(view) Android phone's on a Mac? I need to make a screenshot of something that blocks it (MobileIron Go), need this for a manual.
*Thread Reply:* http://vysor.io for USB connected device… or Reflector for wireless connectivity
@Dominik Schmid has joined the channel
Can video calling apps like Skype for Business or Jabber be used with MobileIron Tunnel? Wasn’t there a UDP limitation?
MI Tunnel does not tunnel UDP traffic. However, it supports Split UDP. Meaning all UDP traffic goes directly from the device to the intended destination.
Former version of MI Tunnel used an iOS library which changed the UDP source ports, mainly preventing UC protocols from working successfully. This library has been replaced by another one, which does not modify source ports. This version is currently in Alpha stadium and I know two customers testing that.
Responsible PM at MI: Archana Karehalli Raju <araju@mobileiron.com>
Be aware, it really is an Alpha. Many manual configuration steps and unstable results. But the proof of concept in general works as expected 🙂
*Thread Reply:* But that would also mean the the backend destination needs to be externally published for UDP traffic, right? Example if a Cisco Call Manager is only available via Sentry.
*Thread Reply:* Where do I have to configure Split Tunneling for these Video apps which use UDP? In the VPN Tunnel configuration?
Thank you! I will take that into consideration!
Hello guys, We are encountering a problem when deploying an application on Managed Play Store. We want to release a beta for our pilot population on open track (google console) through MobileIron (Core 10.2). Our users are only downloading the production version. We double checked the prerequisites, checked the application version (25 for prd & 26 for beta - incremential ok) and we are testing on clean devices without any other applications. Any idea ? Thanks you
*Thread Reply:* Did you create a beta label and assign it to the app?
*Thread Reply:* Yes, we have create a manual label pointing on the beta release
*Thread Reply:* I'd suggest to check the "Pricing & distribution" settings for the app, and also make sure the beta is set to "Open Beta Testing". Also be aware that changes on the Google play console sometimes take a couple of hours.
*Thread Reply:* I've seen the same for AirWatch recently. Perhaps Google changed something ?
Guys do we have any case study/business casesfor plant or warehouse users where we can lock down the device, can access in-house apps
I am looking for MobileIron,SOTI and AirWatch
SOTI is best in class for the COSU Android use case, specifically with Zebra Android devices which have 65%+ of the new rugged android market.
*Thread Reply:* @Matt Dermody, any specific features that makes you consider SOTI the best?
*Thread Reply:* Probably should move this out of the mobileiron channel, but i’ll continue for now
*Thread Reply:* native remote control that isnt separately licensed that works for both DA and DO enrolled devices
*Thread Reply:* options to leverage the AE kiosk, custom SOTI launcher, OR Zebra Enterprise Home Screen
*Thread Reply:* multiple methods for accomplishing tasks eg. Packages & File Sync Rules
*Thread Reply:* support for the Zebra MX configuration layer and the SOTI scripting engine is a dream
*Thread Reply:* You can send intents to devices to remotely enable and disable logging utilities
*Thread Reply:* start, kill, relaunch applications, wipe application data, process firmware updates, etc.
*Thread Reply:* And with AEDO + Zebra you can enroll in SOTI with StageNow, bypassing any of the standard Google SUW based methods (NFC, DPC, QR). Zebra provides a bypass barcode that allows you to launch straight into StageNow and then you can scan a second barcode to download the AE agent, install it, set it as DO (yes DO, not PO), and enroll it in an environment. You can use this method to also enroll DO AOSP devices.
*Thread Reply:* Ultimately I think the scripting is the best piece, you can seriously accomplish anything that is not exposed as an available configuration in the UI if you have the scripting layer + mx
*Thread Reply:* If you want to use Zebra Devices, Soti has the most functions right now. If you want to use other devices, I would go for MI.
Does anyone have insight into whether a high number of AND / OR conditional criteria in a Label (70 or more) will adversely affect Core performance?
*Thread Reply:* I believe it depends on the operators in use. Primarily negative operators (for example !=) will affect Core performance. Never really noticed a performance issue, but I also have never seen labels with 70 criteria....
*Thread Reply:* You might want to reconsider and use another method to achieve the same.
*Thread Reply:* Depends on number of devices also. It's a DB query and will be pretty taxiing
*Thread Reply:* Thanks all. In this case, I need to apply a configuration based on an LDAP field indicating the country where the user resides most regularly (as opposed to using the reported location of the device). In this case the world would be broken up into 3 to 5 regions of countries. For example, Label1= if country=Argentina OR Chile OR Paraguay, etc. Label2 = if country=US or Canada. Label 3 = if country= Spain OR Portugal OR France OR Germany, etc. (and 50 more nearby countries). I hear you on the DB query - that's my concern. Assume 40k-70k users per Core.
*Thread Reply:* You could create 70 labels each with own criteria
*Thread Reply:* Interesting. So I'd be trading admin time, admin UI complexity, or potential for admin error for CPU load. Is there good data to support that processing 70 labels is less impactful than processing one label with 70 conditions?
*Thread Reply:* Just from a SQL perspective I'd say that running a simpler query will help the optimizer and your indexes could help deliver fast responses. From an admin perspective I'd almost say that 70 labels would be easier to manager in the long run and perhaps even also initially
*Thread Reply:* And if you ever need to target a specific country you already have that label 🙂
*Thread Reply:* Elasticsearch will deal with the query and also build something like a query plan. Even if the Syntax in the UI is kind of heavy, the overall performance for Value IN (a, b, c) like query will be good. That's nothing complicated for ES.
*Thread Reply:* You can easily monitor this on Core CLI or via Monitoring, by checking the elasticsearch CPU usage. A system of 80k will approx have a elasticsearch CPU usage of roughly 50%, depending on configuration.
Hi, Has anyone already implemented Google’s Alpha, Beta program on Core OnPremise?
*Thread Reply:* Yes, I have, needed it for the beta version of Email+ 3.0
*Thread Reply:* have you some documentation for an implementation easly ?
*Thread Reply:* I have try with Mobileiron documentation but no working
Folks does anyone have info on Cloud token enrolment for AE? Provisioner app updated to support it but I don’t see anything added in R60/61
*Thread Reply:* Can you elaborate what is the Cloud token enrollment?
*Thread Reply:* Open the provisioner, you’ll see it under username. It’s also referenced in the update notes in Google Play.
*Thread Reply:* I don’t have an Android device with me 😁
*Thread Reply:* Did you ever find out what it does?
*Thread Reply:* No, my MobileIron resource above there is Android averse :p
*Thread Reply:* Ok ok... I asked around but nobody knew. Should get some info next week.
*Thread Reply:* I know it's cloud related if that helps!
*Thread Reply:* Haha! I’m not an Android averse but my boss didn’t approved yet my expense for it 😬
*Thread Reply:* @Mirko Bülles tell his boss to get on with it. He'll need a mid-top tier Samsung (A or better), Android One/Pixel and possibly a Huawei too (because they go wrong a lot).
Make it so 👏
😁
Do anyone have idea about azure saml application hosted for iOS
Is there a way to use MS Teams with Access as a Service (delegated IdP) for iOS devices - Split Tunnel for UDP!
*Thread Reply:* Tunnel v4.0 coming soon (Q3 release)
*Thread Reply:* Isn’t there a workaround with MS Authenticator, Access URL within the Tunnel Safari Domains, etc?
*Thread Reply:* yes there is with MS Auth, but not ideal as you will allow to connect an unmanaged app
*Thread Reply:* Oh I see, you are right! 🤙
*Thread Reply:* Regarding the allowing unmanaged app - in the KB it is mentioned to disallow unmanaged apps within Access flow.
*Thread Reply:* Yes but the problem is that authentication flow is via a managed app even if the data are in an unmanaged app
*Thread Reply:* Ah yes that is what you mean! Got it
*Thread Reply:* I just heard UDP split tunneling will be delivered Q4. Might be a more conservative roadmap..., but not sure if it will make the Q3 release
Hello guys ! Anyone know a way to bulk retire with CSV / Script / Assemble / API ? Thanks
*Thread Reply:* Are you kidding me? Ask @Luc we know it works PERFECTLY for 500 devices within few minutes...
@Daniele Crippa has joined the channel
Who’s at MI Live in Brooklyn? We should do a meetup!
*Thread Reply:* I am under the big red umbrella next to the answer desk. Come say hi Kiran
*Thread Reply:* Seriously, did no one else make MI Live? The new logo that bad?
*Thread Reply:* How’s it feel to come to our coast for once @macbentosh? LoL
*Thread Reply:* I'm tired and this city is nuts.
*Thread Reply:* I’m one row in front of you to the right lol
*Thread Reply:* Hey @macbentosh I was there, sorry I missed you. Would have been great to meet you!
And who will be in MI Live Berlin? I will be starting from Tuesday
*Thread Reply:* Me too - come and visit us at our IronWorks booth! 😀
*Thread Reply:* I want to see a demo of your product...!
What could be the issue when devices are not receiving a new user certificate (for Email+) from the Core local CA? Core should try to renew it 60 days before it expires, right? Local CA is valid and issue test certificate also works within the SCEP config
*Thread Reply:* The process for renewing the certificates runs at 3:45 AM (UTC), check if that runs OK.
*Thread Reply:* Wow that is some detailed info - thanks!
Ohai!
Soo... Many end customers run appconnect and have those configs, policies et al, applied to "all androids". When I'm thinking about preparing for AE with MGP, I'm hesitant about the best way forward with the migrations.
I am curious as for how you all have gone about this, both for core with labels and for cloud with device groups?
*Thread Reply:* We have created to Android labels before the migration Android legacy devices Android Enterprise devices
So instead of All Android devices we now use Android Legacy Devices for all config, policies, apps, etc. to be pushed to Android DA devices and Android Enterprise devices for all config, policies, app, etc to be pushed to AE devices.
The new features for iOS 11.3 and above „allow open unmanaged from managed...“ used to have the info in the restriction that this requires a license (Gold bundle). That info is not there anymore - is this feature now in the Silver bundle?
*Thread Reply:* Just checked MobileIron Cloud. I know for sure that in Cloud you needed a gold license and therefore you could not use it with a silver license. It now shows up there under the silver license so I assume that MobileIron has changed it from gold to silver.
*Thread Reply:* Ah ok well that sounds different. Gotta ask next week in Berlin 😜
*Thread Reply:* Oh good, please do. It’ll make a pleasant change for me not to be the only one asking awkward licensing questions there! 🙂
*Thread Reply:* Anyone from #mobileiron here who can answer this question?
*Thread Reply:* couldn't you always just send down custom xml ? I guess that wouldn't require a specific license?
*Thread Reply:* Technically I guess you are right. But why would we need restrictions within Core if we push down the custom XMLs?
was this actually ever controlled by a license?
Not controlled or enforced, just an informal message only
Yes well controlled or not controlled, I think everybody’s goal is to be licensed correctly even though MI doesn’t enforce it, which is a good thing. But to be honest, we receive reports from MI when gold bundle customers use platinum features, so there is that. So officially it is Gold?
It was Gold, up until now. Not sure why they removed it or if it did actually change. You will have to ask your Account Manager from MI
Hi, anyone here running MI Core, onprem? I was wondering if there are any incentives to update from 10.2 to 10.3. The only one that is of relevance so far is the implementation of the iFrame with the Managed Google Play for Android Enterprise.
*Thread Reply:* Samsung Knox features also!
*Thread Reply:* Ability to have 2 entries for the same Android app in apps@work. 1x in-house 1x PlayStore. Especially important during migration to AE.
*Thread Reply:* Thank you for sharing these details 🙂! Very helpful.
If anyone on here is at MobileIron Live! Berlin, please do pop by our IronWorks booth and say hello!
what admin rights allow an admin to sync ldap?
*Thread Reply:* If you mean “Resync with LDAP” ,i would say the “Manage users” right, but not sure 100%.
*Thread Reply:* you guys are my manual
Hello guys, anybody knows the best way to get reports on App tunnel usage ? Because the App Tunnel tab (MIFS Console > Apps > App tunnel) is not really pratical : no export & few informations
*Thread Reply:* Have a look at Assemble. With Assemble you can export the AppTunnel lists.
*Thread Reply:* Unfortunatly, no assemble in the picture.
We have two cloud services federated with ADFS, but only one will be activated for Access As A Service Delegated IdP. So If ALL mobile traffic will be routed to Access that will also include the requests for the other federated cloud service which we don‘t want to use with Access, right?
*Thread Reply:* If you have delegated IdP setup then you decide on ADFS which auth traffic is forwarded to Access
*Thread Reply:* Right - so I need to configure this separately on the ADFS, not part of the MobileIron IdP Setup Powershell script?
There is no way to build a dynamic label based on an app which is installed on an iOS device, right?
*Thread Reply:* You are right. We do such things (automations based on app install status) via API.
Does anyone know if it's possible to trigger an LDAP sync of MI Core through a script? Only way we've found was assemble but was hoping there was a straight API endpoint exposed for that.
AFAIK @Kiran Patel assemble is the way.
Also relevant here.
*Thread Reply:* Is it possible it's trying to download the old MI Cloud specific management app, instead of the new converged one?
*Thread Reply:* Hmm, probably not. The Go client is selected as DPC within the Zero Touch config
Has anyone an idea? Failed to start Tomcat status 4
*Thread Reply:* Which Tomcat? MIFS or MICS? Did you update the Core? On the console, can you see more error messages? Is MySQL running? I would suggest to contact MobileIron support as it's high priority and intervention on the Linux might be needed....
Alright @here like @Jason Bayton asked I have looked through the manual and could not find out how to add an app configuration for an additional space. I would like a global config and a config for our clinical shared devices so the app will auto deploy on enrollment.
@Daniël Kraaijeveld can you share your settings in ZT Portal for that device?
@Daniël Kraaijeveld Which device/type is this?
I have for testing created a space under device spaces
@macbentosh Not all config options are possible in all spaces, especially for AE!
If you have a specific use case send me you input and I will send it to our Android PM
Not sure if this is possible, i can ask around
that screenshot I sent I just want to have a config for global and a config for the clinical device space
I understand, but haven't used this before, so can not say if that works yes or no, or is available at all.
@Daniël Kraaijeveld I need to see the DPC config to see what is happening. What if you use another ZT enabled device to test with?
@Mirko Bülles Devices are Motorola One, nothing really fancy going on with the config. Can’t imagine that being the problem since it does work sometimes.
That is not really a lot, you miss the stuff in the DPC config
I have not tried other devices yet. Customer only has these within the portal.
I’ve used this config in other scenario’s without any issues. Also used it with a DPC Config for this customer but that gave the same result.
iOS Email+ - can users work with folders and subfolders for Exchange notes within Outlook? It looks like Email+ only syncs the notes in the default folder so to speak. No notes folders are visible within Email+, so I guess this is not yet supported. Does anyone know this one?
Hi all, I have an issue when creating web apps on MI Cloud (with Android Enterprise). I upload my icon (png or jpg in 512x512) but the upload fails... I create successfully 15 other web apps yesterday with the same icon and I don't have any issue... Any idea ?
*Thread Reply:* As it's an iFrame to a Google service I don't suppose there's a lot of troubleshooting we can do. Does it accept any other image? If not log it with MI.
*Thread Reply:* I tried other images and it does not work
*Thread Reply:* Solved by the MI Support... They don't make anything... They just do the same process as me and now, it works... 🙄🙄
*Thread Reply:* karma Boris... karma
Anyone ever see the Self Diagnosis (Maintenance tab > Self Diagnosis) function get disabled out of now where in the MICS System Manager? It was enabled for the longest time.
Do I have to add an Active Directory group into the LDAP config on Core before I can use it within a filter label?
*Thread Reply:* Ok thanks - It seems with some versions of Core you have to re-enter the password for the ldap user when making changes!
*Thread Reply:* Yes, you have to add the group in the LDAP config in core. Otherwise, Core won't poll that group and it won't function.
anyone @here use the single sign in webclip have time for a chat?
*Thread Reply:* what do you mean by single sign in webclip? Like a webclip to an internal app that we have SSO for to auth to that web app or something else?
*Thread Reply:* ah okay my bad, sorry hadn't done that
Has anyone here created a powershell script to send a message using the MobileIron Core API. Reviewing the API documentation and doing some quick testing with postman with the block below and need some help
*Thread Reply:* Hi, I use following URL https://CoreFQDN/api/v2/devices/action?adminDeviceSpaceId=1&actionType=SEND_MESSAGE with POST method. Your data parameter looks fine.
*Thread Reply:* I have made PowerShell class implementing most of the MI’s API calls in Powershell. Here is example of my SendMessageToDevice method:
[Object] SendMessageToDevice([String]$DeviceUUID, [String]$Mode = “pns”, [String]$Subject = “Hello world!“, [String]$Message = “Hello world!“) { $Uri = $this.ApiEndPointV2 + “/devices/action?adminDeviceSpaceId=” + $this.AdminSpaceID + “&actionType=SEND_MESSAGE” $Params = @{ “note” = “Message” “deviceUuids” = @($DeviceUUID) “additionalParameters” = @{ “mode” = $Mode “subject” = $Subject “message” = $Message } } $Response = $this.RestPost($Uri, $Params) return $Response }
[Object] RestPost([String]$Uri, [Hashtable]$Params) { Try { $this.WriteLog(“Debug”, “POST ” + $Uri) $Json = ConvertTo-Json -InputObject $Params $this.WriteLog(“Debug”, “Params: ” + $Json) $Response = Invoke-RestMethod -Headers $this.Headers -Uri $Uri -ContentType “application/json” -Body $Json -Method ‘Post’ } Catch { $this.WriteLog(“Error”, $_.Exception) return $null } return $Response }
*Thread Reply:* Thank you so much for sharing this!
*Thread Reply:* you're defining most of these variables elsewhere in the script right?
*Thread Reply:* PowerShell supports objects since version 5. So I have a class implementing most of the API calls as a methods. So basically I just instantiate a new object using this class (it takes JSON file as a parameter for core FQDN and API credentials). Then I just call individual methods like SendMessageToDevice with parameters. Real world usage then looks like this: . “/path/to/class.ps1” $MIPS = New-Object MIPS -ArgumentList “./config/core_examples.json” $Result = $MIPS.SendMessageToDevice(“91d12427-c730-4b1f-a0a7-44a94ee3c7a6”, “pns”, “Some subject”, “Some message”)
well I have a ticket with support. When A user signs out of the multi user page it just spins and will only prompt again for login after a reboot of the device.
Enabling SAML for the Self-Service Portal is really only relevant for local admin users, not for regular LDAP users?
Hi Guys, for those that are using Mobile@Work in a On Premise environment and have blacklist of Android apps implemented this is helpful. We have seen it at the middle of this week and Android devices were getting quarantined: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000fyHlSAI
Hi Guys and Girls, Is it possible to restrict a device to a single URL and prevent the device from navigating away via website menu bar and disable the URL bar from appearing please? My current thought is using Web@Work in Kiosk mode? This is using MobileIron Cloud and on an iOS device running the latest iOS and in DEP.
You can create a web clip, and check the “Full Screen” option.
I don’t believe it works in kiosk mode. But you can hide all other apps.
I thought the full screen web clip was more-or-less retired?
I also thought full screen is or was already deprecated? You can easily create your own app based on webkit to open only that particular website. Deploy the app as an in-house app and lock the device down to single app mode.
(not marked as deprecated) https://developer.apple.com/documentation/devicemanagement/webclip?changes=latest_minor
Weird, that contradicts with; https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf#page104 where fullscreen is not even documented anymore.
Did anyone saw the "news" about the new app icons? What do you think about it?
*Thread Reply:* I like the new icons but hate it that they change the icons 🙂 Think of all the manuals/instruction cards that need to be changed around the globe…..
Which Sentry service do I need to use within the Docs@Work config for OneDrive for Business? Custom or <IP_Any>?
IP Any is for Windows 10 or Android (Tunnel). For OneDrive with D@W I would choose <ANY>
*Thread Reply:* Ah yes sorry my bad. URL pattern would be like tenant.my-sharepoint.com 443, right
*Thread Reply:* The question is do I really need the sentry rules? I don‘t care about sending the Office365 traffic through Sentry, I only want to provide the OneDrive config for the users
*Thread Reply:* If you do not want to route the traffic through Sentry, you should not create a sentry rule. Just add the content site, without the rule and the traffic will not be routed through Sentry.
What do you guys think about using DNS round robin for Sentry HA instead of a LB. Anyone using it?
*Thread Reply:* That is interesting, because we use Kerberos Constrained Delegation on these ActiveSync Sentrys. Can you explain a little more why this won‘t work - because of the missing stickiness?
*Thread Reply:* Cert based Auth requires the session to be alive for more time than regular http sessions. I mean there are multiple connections from the client to the server and it’s mandatory to keep the same server for the entire handshake and session. DNS cannot handle the requirement to keep the same server (A) for 1 session... therefore when the secondary server (B) see the connection it drops it because the handshake was not done with server B but server A
Make sure you use dynamic IPs while you're at it. Really up the ante on the will it work roulette 😁
Just wanted to thank those who replied to my message. I'm new to Slack and haven't figured out how to reply in thread to the message I posted 😕
*Thread Reply:* @Dan Hughes, welcome! Just click "start a thread" 🙂
any good way to push a .ical shared cal to android users?
We need to migrate our SCEP profiles from SHA-1 to SHA-2.
Our Wi-Fi, VPN and Email configurations each have their own SCEP profiles for identity certificates. Over 100k SHA-1 certs have been issued to devices.
We use a Microsoft CA, but it can only issue 900 new certs per hour.
Has anyone done a large migration like this before? Any tips or things to avoid?
*Thread Reply:* Hi Phil,
if the MS CA is used for other functionality/devices then you really don’t want to overload it.
So my recommendation is:
I did similar migration for 40k devices with exchange/wifi/vpn configs. Just calculate amout of devices per hour/day and then let the script run on scheduled basis.
Feel free to contact me directly if you need help with that.
*Thread Reply:* Be aware that Assemble is slow as hell. That is why I wrote PowerShell class implementing MI API. Using API directly will massively speed up the process.
*Thread Reply:* That’s awesome, thanks Ladislav. Will be in touch if we need help.
New CA should be dedicated to mobile devices, so we can push it the limit.
We’ve got first hand experience on the speed of Assemble 🙄
*Thread Reply:* It is sometimes like 40 mins by Assemble compared to 2 mins with API. Assemble is terribly slow if you need to retrieve data for huge amount of devices.
*Thread Reply:* During the last migration we did the crucial parts of the migration were: 1. progress monitoring, 2. user notifications - we sent email/push notification to every user 1 day before migration.
*Thread Reply:* Last hint: do not underestimate additional load on Sentrys and EAS backend. Exchange config re-push = email re-sync on devices. From user experience it means all contact/mails/calendar entries will dissapear.
Anyone moved from On-Prem to Cloud recently? Wanting a general scope out of what's involved
Haven't moved anyone from On-Prem to Cloud in any MDM, wondering if there's anything MI does to make that as painless as possible
*Thread Reply:* MobileIron will release a tool to migrate users without re-enrollment. But it is not available yet. You can hire professional services to do the same: they will set up the tool and help migrate the users. You will need to configure the Cloud and configs still.
*Thread Reply:* Oooh so I can still obtain that tool, I'm just responsible for configuring it?
*Thread Reply:* No not yet. Only PS have access to it for now
*Thread Reply:* Gotcha - magic question - any idea when that tool will be released for general use?
*Thread Reply:* I really have no idea about that. If you have an account or partner manager, you might want to ask them.
*Thread Reply:* My old contacts @ MobileIron said the tool was pretty much there. Reach out to your MI account team for help.
*Thread Reply:* The “LUI migration tool” is almost there... some fine tuning to make is usable by trained partners I guess and we’re here. LUI stands for “Low User Impact” 😉 I’m currently working with a very large customer (150k+ devices on Core) to migrate to Cloud with this tool.
It works frictionless for iOS and Android DA. For AE Android devices we need to find the right way to do that: either through the API available in P or through another magic thing we will do inside our client app
*Thread Reply:* @NicolasR is the tool only for migration from MI On-Prem to Cloud or also for other scenarios? On-Prem to On-Prem, Cloud to Cloud, different EMM to MI?
*Thread Reply:* Only CORE to CLOUD (soon we will support Connected Cloud to CLOUD)
*Thread Reply:* @Justin Butts Although the Core > MIC LUI is "ready", PS is still working out some minor tweaks in it. The CC > MIC will not be available until Q3 (most likely, end of Q3). There are definetely caveats you should be aware of with using LUI. Most important is that the Apple MDM needs to be imprted into the Cloud first, not in arrears to prevent the iOS chain from being broken. A series of CLI commands on the Core can get that extracted for import into the Cloud. One of the challenges with the CC migration! There are other options available to migrate to and from UEM platforms. DM me if you need to discuss. Good luck!
Hi Guys, has anyone done a Samsung Knox integration with MI Core? I would be interested to find out if you worked based on this star guide and if you had any challenges along the way: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000Qy4yCAC
*Thread Reply:* Yes works fine. Basically there is no connection between KME and Core (as you would have with DEP). You configure KME and there you configure the MDM to connect to. 30 minutes work.
*Thread Reply:* Nice, thank you for confirming Mark 🙂! Looking forward to see how this looks.
Anyone know how to give the user an option to download an ebook?
*Thread Reply:* For iOS I would recommend using VPP to purchase and push Books (iBooks) to your users, you would retain ownership of the book and would also manage distribution of the content. So you can publish the books to the user to choose to read
*Thread Reply:* Is that more of what you are looking for?
*Thread Reply:* From my knowledge there is no way to push apps from public App Store, you would essentially purchase books via VPP and publish to the books app to create your own "bookstore" so to speak. Problem there is you have to purchase all the books users can't just choose. So I would recommend having your users ask which content they want to give you some materials to bring to the books app
@Keith Metzger has joined the channel
@Brian Irish has joined the channel
Hello guys, I need to extend the partition of MobileIron Core. Is this article from 2015 still valid: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxzSCAS
Any issues I might run into? Appreciate sharing your experiences.
Anyone @here have info on these messages. I have seen them forever from CORE but my infosec team is freaking out now that we are in the SEIM…
Jun 24 19:01:51 mi stunnel: PRODUCT=Core10.2.0.033,Jun 24 19:01:48 mi stunnel: LOG3[542756]: SSL_accept: Peer suddenly disconnected
Make sure SSL is on for the port if this is mail related at all
@macbentosh I think it just means that it was disconnected before SSL was actually negotiated
Is there a way to pre-configure Microsoft Outlook for Android device admin enrollents with MobileIron Core?
*Thread Reply:* If outlook supports XML config, and you’ve another means for pushing it to the device, probably.
*Thread Reply:* I think this is not possible in this setup. But you can do it with Android Enterprise.
*Thread Reply:* Ok thanks. Does anyone know if Outlook for iOS or Android Enterprise can be used with Lotus Notes and KCD?
*Thread Reply:* maybe it works but it is not officially supported, so I wouldn't do it
Looking for best practices as it comes to replacing a very broad label with a more refined one…EXP. have a config pushed to the IOS label and want to add a label that allows me more flexibility. In the past if i remember I apply the new label and let it set and remove the old label. All without interruption i hope.
Yes,. Set up the new label, and apply the same configs....then wait a while before you remove the configs from the old label
Not sure if this question is better asked here or in the Android channel but I am trying to understand the process of locally hosting an in house app when “install this app for Android Enterprise” is checked in MI Core. Documentation states, that the apk definition file must be uploaded to the Google Play Console and there will be a license key that we pull from the console and upload to the Core but I’ve been unable to find clear guidance on where to actually upload the definition file in the Console. Anyone have any experience with this?
*Thread Reply:* The definition file is uploaded in Google Play at the same place where you can upload an app. But before being able to upload the definition file you have to enable Managed Google Play for the app and select the checkbox just above the APK/definition upload frame.
*Thread Reply:* Upgrade to Core 10.3 which will make Inhouse app deployment much easier!
*Thread Reply:* Not easier for self-hosted applications. These still go through the cumbersome Google Play process.
*Thread Reply:* I thought the virtual private Google Play Store is a part of 10.3? 😳
*Thread Reply:* Thanks @Almar Diehl these were the steps I was missing Go to Pricing & Distribution > User programs > Managed Google Play. Check the Turn on advanced managed Google Play features box. Check the Privately target this app to a list of organizations box. Click Choose Organizations.
*Thread Reply:* Yes @MichaelM21 it is but you can only use it for APKs. If you want to host the APK on you own server and want to upload a definition file to Google Play Store you can not use the Google Play iFrame.
*Thread Reply:* Ok that means I can upload an APK to Core in distribute it directly to the device without publishing the app in Google Play before?
*Thread Reply:* No, you always have to publish. Either an APK, using the iFrame, or a definition file using Google Play Console.
*Thread Reply:* You can push APKs to devices from Core, but they won’t show up in Google play, they’ll install silently.. they’ll also be subject to less than ideal caveats, so Play is the better route
*Thread Reply:* So basically what you are saying is that Core 10.3 is possible to deploy an APK directly to the device. With this private virtual Google Play Store integration without the need of a developer account?
How do you guys configure a WiFi config with a Preshared Key - a variable needs to be used in the config, right? (Core)
*Thread Reply:* $NULL$ and in the field at the right just enter your key 😉
Variable? What kind of Wi-Fi is it? WEP/WPA(2, personal or enterprise?
*Thread Reply:* Ok, you really do not need to use a variable, but you can replace $PASSWORD$ with $NULL$ indeed, assuming you need users to authenticate with accounts. If users authenticate with a client cert, you can leave it as is.
*Thread Reply:* They don‘t authenticate with an account, there is only a PSK which the user don’t know
*Thread Reply:* WPA 2 Enterprise does not use a PSK. The “enterprise” part means you will have a radius server for authentication. So I am not sure what you are trying to do now…
*Thread Reply:* Sorry for the misunderstanding - obviously I am not a golfer as The Big Lebowski would say! 🙈
Typically it's just choose the correct security type and enter the PSK
#mobileiron We have already federated ADFS our existing production MI access tenant which is registered to Production Core(SaaS).Can i also federate Same ADFS with another Access tenant which will be registered on test core?
*Thread Reply:* it depends on:
*Thread Reply:* In short if you deployed Access in IdP proxy mode then yes.
*Thread Reply:* @NicolasR It is deployed as IDP Proxy.We don’t have a separate SP.Will that work in this scenario?
*Thread Reply:* No, because the federated pair is linked to the Service Provider
*Thread Reply:* We currently have aADFS-Office 365 federated pair configured on Access tenant.Our live MI core is registered to core.We would like to register our test core as well so that test users can also leverages the functions of access for the same AdFS - SP federation.
*Thread Reply:* it will require another O365 tenant at least
*Thread Reply:* if O365 supports multiple Identity providers, maybe you can create another Relying party on the ADFS
*Thread Reply:* Today i got a confirmation from Mobileiron support that says we can register up-to 6 cores on an access tenant and can use same Federated pair.Let me test that tomorrow and see how it goes.
Anyone @here install ivanti on their MI VMs?
*Thread Reply:* You are not allowed to install any third party software unless MobileIron support or PS advise you. :malepoliceofficer::skintone2:😉
*Thread Reply:* What’s the need? Deploy anti virus or equivalent?
Getting a General Error for SCEP issuing a test cert - where can I find the logs on Core?
*Thread Reply:* Go to System Manager, enable debug logging, click MIFS link to see realtime logs, repeat test in certificate enrollment profile.
*Thread Reply:* Thanks for the fast response.. I will look for it!
*Thread Reply:* Got it... TLS1.0 issue! 😂
hi im new to the mobileiron world and was hoping you experts could answer a few questions 1) does it support MFA for admin accounts 2) is there a definitive list of what is different between on prem and cloud versions?
*Thread Reply:* 2) not really. Its changing too fast. you can compare features in the Roadmap if you have access to it.
*Thread Reply:* 1. Are you on Core or Cloud? At least for Cloud, you can use Azure AD as the user and admin source. You can set up MFA for admin accounts on Azure AD which have access to the Cloud portal.
*Thread Reply:* 2. I have requested such a list many times, but never got it. Assume it is cumbersome as there are many changes between the two. But please request it with your account manager or MI partner, maybe it gets heard.
*Thread Reply:* I was a sales engineer at MobileIron, and despite how often we asked, we never got a comparison sheet either. 🙂
Part of it was the monthly MI Cloud releases made it hard to keep up.
*Thread Reply:* 1) You can federate with your IdP for enrollment authentication/user/admin portal access. Except to that MI Cloud AFAIK supports 2FA via email.
*Thread Reply:* 2) Functional wise MI cloud and Core are comparable now with new features being prioritized on Cloud. Especially in case of desktop management (W10/macOS).
*Thread Reply:* Except for APIs, which are wildly different between the two, of course. However, I presume you’re considering which would suit your current or future requirements best?
*Thread Reply:* To be honest, I think it is a messy between Core and Cloud. Some features you expect in Cloud (by nature) come to Core first and vice versa. Working on both is sometimes confusing because you tend to think all features are available on both and you assume it is available.
Hi Ajay, welcome to the group. Whereabouts are you from?
Hi guys, I have one question about Sentry behind HA. The picture is I have 2 cores in HA, and 2 Sentrys behind an F5 doing the HA and balancing the requests between sentry1.whatever.com and sentry2.whatever.com in my core. I have both sentrys configured, the problem comes when I need to setup the Tunnel app policy to apply it to the IOS devices. In the list of available servers I see sentry1 and 2, but not the balanced F5 domain to which the devices must attack from the outside, so how do you proceed to solve that? Thanks
*Thread Reply:* Hi Ignc, in 1 of the Sentry configurations in Core you need to have the F5 domain (sentry.whatever.com) configured for the Sentry hostname. In the system manager of Core, create a static host record pointing sentry.whatever.com to the ip-address of sentry1.whatever.com.
*Thread Reply:* HI Almar, thanks for your reply, I imagine something like that can be done, but I supposed that a more “elegant” option should be available. It looks more like a workaround than a “clean” solution, because of that I asked 😂. Anyway if it work I can live with that 😁.
*Thread Reply:* We use the same configuration as @Almar Diehl mentioned. Network load balancer alias is used as sentry name for first node in Admin portal. For all other nodes in the Sentry pool we then add incremental number. So if the NLB alias is sentry.acme.com then the first sentry name is sentry.acme.com, second sentry is sentry2.acme.com, third sentry3… Static host record on Core side will then point sentry.acme.com to first Sentry node instead of NLB.
@Bhaskar Chandra has joined the channel
Does anyone know if Knox Kiosk Mode capabilities have been removed from Core 10.3?
*Thread Reply:* Yes, in favor of AE dedicated device Kiosk mode
*Thread Reply:* And customers who still use Knox Kiosk have to move to AE COSU?
@here Refresh my memory: In Core, if you bulk generate enrollment PINs for devices, that would bypass the per-user device enrollment limit. Correct?
*Thread Reply:* @Woody that is correct. You can also do this if an Admin request a PIN manually. The limitation is enforced on the BYOD portal which is used by users to request PINs for registering devices.
*Thread Reply:* Thanks @Adrian Patrascu! I’d love to find a way to keep this limitation enforced, but exclude DEP enrollments from being subject to it.
*Thread Reply:* I suppose Core cannot differentiate between what is a DEP-Based enrollment and BYOD enrollment from a generic MDM Request Level
How do I use a CIFS share name with spaces in the name 🙈 within a Docs@Work config? Any break symbols or enter it with the spaces?
*Thread Reply:* Have you tried URL encoded address?
*Thread Reply:* How do you mean? Which one is that?
*Thread Reply:* Basically you have URL in your Docs@work config, right? Something like: https://sentryfqdn:445/share/. If you have space in share name then try to use %20 instead of space - something like https://sentryfqdn:445/some%20share/
*Thread Reply:* Gotcha, I will try it! Thank you!
We use an ActiveSync Sentry with Passthrough - Exchange config for iOS native mail. We now need to enable AppTunnel on the same Sentry. Do I modify the existing Exchange config an choose the SCEP for AppTunnel there or is there no impact for ActiveSync after enabling AppTunnel?
*Thread Reply:* Of course there is impact. You are now using Passthrough authentication. This will be disabled and connections will require Cert based auth.
*Thread Reply:* You need to specify a SCEP config in the Exchange config
*Thread Reply:* It will be pushed to all devices: all current mail, contacts and calendar info will be removed. Until the config is updated on the device, the connection to the Sentry will fail
How would you guys troubleshoot wifi issues with Core in general? We leverage cert based auth (NDES / MS PKI) and use it with our wifi. Issue test certificate works within the NDES confi, so a valid user certificate has been issued and was pushed to the device. The wifi config was also applied on the device. This config was never changed - but suddenly the majority of the devices cannot connect anymore. It is a bit of a pain because our NPS is not in our hands and the admin of the NPS always tells us nothing was changed on his side, even though the NPS show „user rejected“ in the logs. So this cannor be related with Core. The only thing what confuses me is: if you re-enroll a device, it works again!? Any pointers?
@MichaelM21 any chance that the client cert expired? Is the certjob running properly? Usually first thing to check is cert log in Admin portal, device’s cert inventory (iOS). You said that it works after new enrollment so it must be connected to client cert (or some profile corruption on device). In the past there was an known issue when same SCEP config was used for VPN and other services. Basically in case of VPN profile re-push all other profiles using the same SCEP were corrupted on the device (lost relation to certificate). So from that point I always use separate SCEP configs for VPN / WiFi / Exchange.
We have created a new Local CA on Core for Wifi authentication. How can I export the root CA certificate from the local CA WITH private key? We have been told that the Radius server needs the root CA cert with the private key!?
*Thread Reply:* That would not be needed. It only needs the public key
*Thread Reply:* That is what I said, but we receive that on the Radius:
*Thread Reply:* Don’t ever share PK of your Root CA to any other system. In the system log I see “….SSL server credential’s certificate…” so I would check radius server cert first.
*Thread Reply:* @Ladislav Blazek I have read RFC 5216 - The EAP-TLS Authentication Protocol. [...]With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust. The certification authority (CA) that issues the user certificate must also be the CA that issued the server certificate to your NPS server.[...]
That would mean that Core local CA needs to issue a certificate for server authentication with a private key for the NPS. Is that even possible? Issue a certificate with a custom SCEP?
*Thread Reply:* @MichaelM21 “With EAP-TLS, both the client and the server must be assigned a digital certificate signed by a Certificate Authority (CA) that they both trust.“….. This is true. But I don’t think client and server certs must be signed by the same CA.
*Thread Reply:* Basically on MI side you need to edit your WiFi profile and:
By this you ensure that client will trusts server.
*Thread Reply:* On the server side you need to ensure that server will trust client certs = you need to import MI Core CA cert to Trusted Root CA store
Apparently BYODPortal is being depreciated (wow, it really is that old). MobileIron recommended using Core’s built-in portal. Is there a policy/config to restrict what platforms, OS versions, and device types can be enrolled at the /Go portal?
*Thread Reply:* As of Core 10.3 you can configure what the minimum Android version must be for registration of a device. And also the minimum security patch level. Moreover you can create a white- or blacklist of Manufacturers.
Nothing of this all for iOS….
*Thread Reply:* Hi @Woody , Thanks for letting us know this information. Really helpful! Do you have an article to which we can point out? Also is this happening with a particular Core version?
Is there a way to retrieve usage statistics of deployed inhouse apps with Core? Assemble or API calls maybe? Details like how often the app is used by the user
*Thread Reply:* Hi, I do not believe that the MDM protocol allows for this option. You would need access to something like Screen Time or something similar to which Apple does not allow access. You can know if the app is installed or not, and what version it is running. If you want any details on how often someone access a particular service maybe you should focus on gathering statistics from that particular service, via access loging or something similar. You can use user agent to identify mobile access.
*Thread Reply:* If the App uses Tunnel/Appconnect you could check logs how often it triggered.
Good morning, I am looking for a way to perform a check in / check out type workflow for a stack of loaner iOS devices using Mobileiron. Has anyone done something like this or similar? Thanks!!!😀
*Thread Reply:* MobileIron has a webclip called multi user secure sign in that lets you swap the user assigned to the device. It can uninstall / reinstall apps when the sign in occurs.
Keep in mind that this functionality is based on the MI assignments, and may have stuff left behind like Safari passwords, or signed in web sites.
our whole data center is going offline tonight. any precautions for MI? Just let it ride out the downtime? Shut it down?
*Thread Reply:* Hi macbentosh, we do several things before we upgrade a MI Core appliance which might be helpful for this scenario as well.
*Thread Reply:* I would recommend a snapshot of it and perform a clean shutdown of the vms before data center.
*Thread Reply:* is there a good shutdown command>
We have enabled the option „automatically update app when new version is available“ for Mobile@Work, but that doesn’t work for every device! We still have users with old versions and there is no automatic updates - how is the process here? Is this related to the iOS setting of the user if automatic app updates are allowed or if the app was converted to managed or not?
*Thread Reply:* Hi @MichaelM21 are these apps you mention VPP, in-house or Public Apps? Note that the automatic update does not work silently on all type apps. Also the process is a little bit different on Supervised and Un-Supervised devices. If the app is not managed, then the settings are not enforced via MDM.
*Thread Reply:* Hi.. Mobile@Work VPP apps but some devices are still not enrolled as DEP devices, so I can imagine the conversion from unmanaged to managed was not excepted! Can this be checked if the app is managed or unmanaged? Devices are supervised and unsupervised.
*Thread Reply:* Yes, from what I know Core has an option to do that. The way I do it is select the app, then click on the number of installations, export as csv. In the csv file there is a column with the Managed attribute. I hope this helps.
*Thread Reply:* You can also chose the option to allow and enforce the app to be managed. Ensure you have the VPP license to be device and not user based as well
*Thread Reply:* If it’s not supervised it will nag them I think at every device check in
*Thread Reply:* Hi @MichaelM21 I received a question from someone today and remembered your post here. Was there any incentive for you to enable this option? I can see we also have many users that are not running the latest 11.1.0 app, that has been release almost 2 months ago. Do you have any concerns with people roaming? As the app is 75MB large.
@John Zmyslowski has joined the channel
MobileIron Core and iOS native mail client - Restriction to block access for unmanaged apps like WhatsApp. We always unticked the option „Allow documents from managed apps to unmanaged app“. This used to work fine. But now there is an additional payload „Allow unmanaged apps to read from managed contacts account“ which was by default checked - and all unmanaged apps had access to the contacts. Now we unchecked it, problem solved. But now it looks like that the dialer is not able to read the contacts because there is no caller-id resolution. Is the dialer treated as an unmanaged app? I doubt that!
*Thread Reply:* Hi Michael, according to this documentation: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxHZCA0 what you are seeing is not a normal behavior. This should not apply to iOS System apps like the Phone or Messages.
*Thread Reply:* Thats what I thought. Thanks..
Any good ideas for dynamic filter labels on Core to separate between a tablet and a phone? (Android) - I like display size - but that is the resolution, not the actual size of the display
*Thread Reply:* Hi Michael, if you have just Samsung Android tablets, maybe you can do it based on model like this: "common.model" starts with "SM-T" and for other manufactures see if there is a pattern in model that would help.
@here Alright, gonna go way back in time here. In terms of deploying a Cert-Based WiFi profile to Android (Device Administrator mode)… there used to be a document for Core that spoke to how you presented the CA trust chain to the device so it would install the certificate to the store, etc.
Anyone happen to have a link to or copy of that procedure?
*Thread Reply:* Not a link or copy, but I would try the following:
*Thread Reply:* 1. Create a single file (pem for example) containing all the Radius server, intermediates and root certs. Add it as a Certificate Config.
*Thread Reply:* Not sure if it will work, sometimes you need something to get it to work
*Thread Reply:* @Woody - this one? https://community.mobileiron.com/docs/DOC-1934
*Thread Reply:* @MichaelM21 - Yeah! Thank you so much for finding that
Hello guys,
I have got a question . I need to push on devices a wledp file on device . I think i have to use Android xml configuration .
Do you know some idée how do this action?
Best regards
.wldep is for Ivanti Velocity which I believe for Zebra devices needs to be placed either in /enterprise/usr or /sdcard/Android/data/com.wavelink.velocity
Yes you’re right . But the only format support by MobileIron is xml. So I don’t any idea for push this format
MobileIron can only push XML files to devices?
Are these Zebra devices that you’re managing?
If so can MobileIron support application of Zebra’s MX XML?
That might be a backup plan if the .wldep file can’t be distributed directly from the EMM, but I would find that kind of embarassing
to have to send a Zebra MX instruction to tell the device to go retrieve the file from somewhere else like an FTP server
Yes it’s the goal of this Poc.
The most simple as you said . It’s send instruction to the device in order to get back the files on a files server like a ftp or other technologie
@Markus Speicher has joined the channel
@Matt Dermody @Ameri you can create the XML config in stagenow and push it via MI
The new Gartner UEM Quadrant was published. MobileIron way behind (SOTI dropped) - share your thoughts on that. Not sure if Gartner is still a serious and impartial source.. 😳🤔 I can already hear customers bashing about this.
I understand Mobileiron dropping a bit. Not sure (do not agree) about the higher position of Citrix and BlackBerry. Microsoft is high up, but I am guessing this is due to Windows 10 feature set primarily.
*Thread Reply:* Why do you understand MobileIron dropping? Just curious..
*Thread Reply:* Product management has been lacking to introduce a lot of new features and product sets. It’s been really slow for about 1.5 years
*Thread Reply:* Citrix and MS are high up on the back of their legacy tools, which make up for their weakness in the mobility space. They’ve dropped from where they were on the old quadrant on the back of the gaps in that space.
*Thread Reply:* MobileIron hasn't put the focus they need to on Windows. Also, a bunch of customers are jumping to intune. I think these are really the only two reasons.
*Thread Reply:* Do you really think that if Mobileiron was the best tool to manage Windows 10 a lot of companies would do it with MI?.... I’m not sure. MI is small against MSFT, competing on others platforms is already a challenge, competing with MSFT on Windows is suicide. The new strategy to change the focus to a security company is more realistic Because instead of being in competition Mobileiron will start more and more being a partner of MSFT!
*Thread Reply:* Maybe yes, maybe no. I do know a very large MI customer is jumping ship to VMware because they really want to have a single environment to manage all of their endpoints, and VMware does a better job with windows.
And, whether or not you think a company would move, the point is Mobileiron's position in the MQ. The MQ is "unified endpoint management" and Mobileiron is trying more to me "Enterprise mobility management + security", which is they the UEM MQ hasn't treated them well.
As for credibility of Gartner: while I hear a lot of bashing and hints of partiality, I do think the quadrant so far has always been reasonable.
IBM, BlackBerry, Citrix.... come on. MaaS360 is one big mess.
*Thread Reply:* Ya Intune is developing fast and as intune is availble for the majority of companies who already starting their transition. Blackberry and MI will stay as strong lead as well till features of both world will be implemented in Intune. But from my point of view intune and MI or Blackberry are not equal so its not clear why MS is so high.
It depends on the point of view. Since its a UEM quadrant and some have better implementation of (legacy) windows and virtualization it is accurate if you weight this heavily. But if you weight the platforms equal it doesnt fit in my opinion.
IBM being that high is pretty wild to me. They're in front of VMWare in completeness of Vision....how? MobileIron dropping that far back is slightly surprising but in line with general attitude toward MI over the past few years IMO.
*Thread Reply:* Agree entirely. VMW has become the most complete offering out there. Sure, it has caveats.. but holistically.. no other on the market is moving at the pace they are.
*Thread Reply:* MobileIron is still solid, they just aren’t innovating at the rate they used to. I understand a drop, but that is pretty drastic.
*Thread Reply:* MobileIron is already celebrating... 😳🙈
*Thread Reply:* Yeah - I saw that as well. As a former employee, I want what’s best for them… but they really need to light a flame under their arse and get back at it
@here is there a way to see when the MI app was opened on an iOS device? I have a deployer who swears that they launched it within the 4hr enrollment window but it did not.
Last Opened/Last Connected are going to be two different things @macbentosh. Though the app usually seems to check-in when opened… so there may be some truth there
but to answer your question, no.. there is no definitive way to know when the app was actually last opened from an iOS perspective
Curious - I know it’s getting old, but has anyone here spun-up and used a MobileIron BYODPortal tenant lately? They’re pushing to use the functionality that’s built into Core, but it really isn’t on-par with that BYODPortal provides.
the last checked in there also isn't accureate at all
that's the last time the app was launched... not when it actually checked into MI Core
put the device in airplane mode and launch the app
i miss the 2 green check marks and actual connectivity check it did to core... we used to rely on that through network changes
Well, if that’s the case… I think that’s actually what @macbentosh was looking for @Kiran Patel
Anyone @here know why in core update OS software comes back blank when selecting more than 1 device?
Has anyone facing issue opening attachments on iOS 13.0 Beta.For me,attachments open native viewer however not able to open in with third party apps.
@mahiroux isn't that something for the #ios_betas channel?
@Marc van der Kooy reposted in this channel as i am testing this functionality with Mobileiron MDM.I was hoping to get an answer here in case if this issue is known to any mobileiron MDM experts.
*Thread Reply:* Multiple known issues regarding attachments. Check the iOS 13 guidance: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000fyP2SAI
Hi, anyone ever tried to enroll a W10 laptop that does not have internet access? The customer wants to use W10 laptops without giving the laptops access to internet. The laptop only has access to the Core server. When registering the laptop a device entry is created on the Core server but the status remains Verified. All configurations remain pending.
When trying a Sync it times out with a connection error. Checking the firewall we see that the laptop is trying to connect to several internet sites. Why is it connecting to internet? It seems to try an download Apps@Work? Why and can we prevent this?
You need a WNS channel on the Windows 10 client to use MDM and push configs, etc.
Anyone @here know if you can install the ivanti inventory agent on a MI server? Core or Sentry?
*Thread Reply:* You asked the same question on July 2nd…
What is the trick to allow a user to upload files with docs@work. Don’t have access to the guide right now
*Thread Reply:* If the shares are “published site” they will be read only, uncheck the check box to have this capability
*Thread Reply:* also there are KVP allowing to block doc upload
Hi guys, I upgraded my Pixel 3 to Android Q today and I was surprised to see I cannot enroll it in MobileIron Core. It seems this is a known issue with MobileIron Core. Thought this would be a good piece of information to share. The issue will be fixed in Mobile@Work 10.4, which is not yet released. The reason is: Android Permission Controller crashes. Full article is available here for who is interested: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TNVgSAO
I hope this helps!
*Thread Reply:* Have you tested the M@W 10.4 beta?
*Thread Reply:* Hi Almar, not yet. I have asked for this beta version and will test it once I receive. I expect this to work with M@W 10.4 beta. I will keep you posted once I receive it and check it out.
*Thread Reply:* You can test the beta version by opening the PlayStore, select the M@W app and click the option that you want to become a beta tester for this app. After doing this you can upgrade the app to the beta version.
*Thread Reply:* It works, although I still see the app crashing, after a few seconds it automatically re-launches the process from where it left off. I believe there are still a few tweeks to be made here, but it works 🙂! Thank you Almar for sharing this information very helpful!
I noticed it failed to enrol in beta1 and pinged the PM. Surprised it’s taking so long to get a fix out!
We use Kerberos Constrained Delegation with MobileIron Sentry. After we change the UPN for a user account and we remove the user cert so the UPN gets updated, the sync work with iOS Email+ devices, but not for Android Enterprise Email+. Any ideas? If we change the UPN back to the old one, AE devices are able to sync again.
*Thread Reply:* If I remember correctly you will need to push the Email+ client to the device(s) again since the certificate is part of the configuration.
*Thread Reply:* Almar 007 strikes again.. thanks! 👍:skintone2:
*Thread Reply:* Curious how you’re going about removing the user cert so the UPN gets updated? I’m finding that in a similar situation using KCD where the UPN is changed in ADLDS, iOS SCEPs automatically refresh, but SCEPs inside a Knox container do not. I’ve been looking for a way to trigger the refresh of that SCEP, or worst case, somehow script the deletion of the user cert so that it will refresh at next device check-in.
*Thread Reply:* @Nick you can remove the cert via Core Admin Portal (Certificate Management tab) and an new cert gets issued and deployed to the device automatically
*Thread Reply:* Agreed, @MichaelM21, and that's a worst case fallback. But in my particular case, the UPN of tens of thousands of users is changed on a rolling basis.
*Thread Reply:* Oh in that case I agree, thats no option for you 🤮 Any possibilities with Assemble?
Anyone using or looked into using MobileIron Access SSO with Cisco Jabber?
*Thread Reply:* Tunnel v3.x doesn’t support UDP packets Tunnel v4.x currently beta, soon release will support split UDP so your Jabber server must allow UDP from internet
*Thread Reply:* Ah yes, we talked about that. Thanks for reminding me. 👍:skintone2:🍻
*Thread Reply:* Can we use Access As A Service with PingFederate as Delegated IdP though or is there a drawback?
*Thread Reply:* @MichaelM21 I am also looking for some guidance for deploying SSO for jabber via access.Are you using jabber MRA deployment?
*Thread Reply:* @mahiroux yes, we also use an expressway. Our users have only smartcards so they don’t know any passwords. We are looking into cert based or SAML
*Thread Reply:* @MichaelM21 Did you manage to deploy SSO for jabber MRA?
*Thread Reply:* Unfortunately we didn’t start yet. How about you? I have read on another thread here that it is not clear that Cisco supports Tunnel at all.. @NicolasR do you guys have any customers with Jabber and Tunnel?
*Thread Reply:* @Michael Not yet.As per our corporate policy,we had to make sure all the calls are recorded.We have achieved this very recently with our existing recording solution.Now the management has given the green signal to go ahead with production deployment.Do you prefer SSO over CBA?
*Thread Reply:* @NicolasR do you have any documents how to configure the delegated IdP Pair in the Access Admin Portal for Ping and Cisco Jabber SSO? I have the document for O365/PingFederate, but not sure how to setup the same for Jabber..
Does MI Cloud has the option to configure battery optimization for android apart from using ksp for samsung devices?
*Thread Reply:* Ask your OEM to support it with OEMConfig, it's not an AE API
*Thread Reply:* Fortunately it is for Samsung devices so ksp can be used but mostlikely extra license is needed
*Thread Reply:* I wouldn't immediately assume so. There's a mix of both free and licensed in KSP
@Daniel Vodrážka has joined the channel
does anyone on here know how i can get access to a trial/demo version of MI? It's the only UEM i've never really had any exposure too, however something we come across a lot with our customers that we cannot support as we've never seen it/used it. I put my details down for the free trial on their website but nobody ever gets back to me.
@Ajay Patel did you do this on their partner site?
no just their standard site as we are not a partner
Anyone here upgrade prod to Core 10.4? We found some interesting bugs so curious how others worked around them. 1) could re-push managed apps set to repush 2) apps@work icon reverts. We can change it but tomcat restart reverts it 3) loses connectivity with sentry but they have a hotfix for this
Cc @John Zmyslowski in case I’m missing anything
*Thread Reply:* For the apps@work icon we have the same issue on CLOUD R64. Fixed in R64.3
*Thread Reply:* I can confirm 2 and 3.
*Thread Reply:* it will be fixed in 10.4.1
*Thread Reply:* Anyone have an ETA for release?
@here Trying to remember - If I check the AE box, will the app also remain available for legacy devices running Device Administrator?
*Thread Reply:* Thanks @MichaelM21! I tested it with a new app and observed the same (while waiting for a response).
Is there a way to change the name of an iOS device with MobileIron Core?
*Thread Reply:* No unfortunately not.
Will there be zero day support for iPadOS with MobileIron Core? Are there any details yet what the main difference will be with iPadOS?
*Thread Reply:* I am not aware of any differences between iOS and iPadOS in regards to MDM api/functionality. So it is still pretty much iOS. Everything works fine on my iPad with iPadOS 13.1 beta.
*Thread Reply:* Great, good to know! Thanks Ladislav!
*Thread Reply:* @Ladislav Blazek Have you noticed any issues ‘open in’ attachments with managed apps.I am not able to open attachments from mail apps with managed apps.Open in function works the moment i remove mobileiron from device.
*Thread Reply:* @mahiroux Will check. What are your managed open-in settings in Restrictions config?
*Thread Reply:* Both managed to unmanaged and unmanaged to managed unselected.
*Thread Reply:* In our prod environment,unmanaged to manage is enabled,however same issue is noticed.
*Thread Reply:* There will be no zero day support for some new features. F.i. user enrollment will be supported in a Core upgrade planned for the end of the year (according to MobileIron).
*Thread Reply:* @Almar Diehl yes, I hope that MI will implement (at least some) new features fast. WMware already announced support for some new features like selective sync of Mail/Calendar/Contacts in Exchange payload in WSO UEM version 1908
*Thread Reply:* @mahiroux Do you see managed apps in Share dialog or not?
*Thread Reply:* I am testing now managed open-in functionality on my iPad running iPadOS 13.1 beta (currently enrolled in WSO). I see the managed apps in share dialog but when I tap the app to open document nothing happens. Looks like it is seriously broken in iOS/iPadOS 13.?… Anyone else can confirm? #ios_betas
*Thread Reply:* I can see them however it doesn’t open attachments. When i enable select both restriction configs,Managed to Unmanaged and Unmanaged to Manage,open in is working however that breaks our DLP controls.
*Thread Reply:* @mahiroux of course. I see the same behaviour on my device managed by WMware WSO. What is the iOS version you are testing on? 13.1 or 13.0 beta?
*Thread Reply:* I have been testing this for Beta 6 to 13.1 with the same result.
*Thread Reply:* I have not noticed this bug in previous betas…. good finding. Thanks!
*Thread Reply:* I see similar on my iOS 13 Beta6 not able to open attachments in a managed app, but I remember I was able to do this in the past. Has something maybe changed in this new Beta 6?
*Thread Reply:* Don’t know… I just submitted issue via Feedback Assistant to Apple. FB7153828
*Thread Reply:* @Ladislav Blazek “selective sync of Mail/Calendar/Contacts in Exchange payload” - I think I’ve been waiting on this for half a decade. Nice to see it finally coming to life!
*Thread Reply:* @Woody yeah, finally solution for customers using Email+/Boxer on iOS and struggling with contact sync.
*Thread Reply:* This would have been super useful back when we were pushing calendars to Administrative Assistants
*Thread Reply:* @Jonathan Henson @japple In case you guys are still doing some of that ^^^
*Thread Reply:* Yes, exactly, calendar only is another use case.
*Thread Reply:* It’s like this since the first release of iOS 13 beta.
*Thread Reply:* By the way iOS 13.0 will require one of these:
*Thread Reply:* Awesome Thread!!👍:skintone2:
Anyone familiar with the ErrorCode 12040 for Install Managed Application on MobileIron Core? We use Apple VPP (Device License is used), but sometimes users get promptes for an Apple-ID. In this case for Mobile@Work or Docs@Work.. Only some apps with certain devices have this issue.. UPDATE: damn, sounds like this: https://help.mobileiron.com/s/feed/0D53400004dlVD1CAM
Is there any impact for existing devices if I revoke all licenses?
@here anyone know of where I can find good mobileiron flowcharts? looking on the help page now but their search is not working as I would like it
looking more of a flow as to how email flows
yeah I think it was the 1st image result when I googled "MobileIron Sentry Map"
Anyone successfully configured Cisco Jabber Android Enterprise (Chat) using MobileIron Tunnel? I first of all get a SSL error (showing the correct certificate) and when I trust the certificate (which I should not need to do) I get a server not found. In the logs I see a 200 OK connected to server.
In the Jabber configuration there is a KVP ‘Third Party VPN’ with 2 possible values, being: 0 - do not support non-Cisco VPN 1 - Android native VPN
Could this mean that MI Tunnel is not supported at all?
*Thread Reply:* Very good question. I am also interested in this, but I haven’t started the implementation yet.
*Thread Reply:* Haven't done it yet, but Tunnel uses the native Android Enterprise VPN, or? Which certificate are you asked to trust? Sentry or jabber server? Is Jabber UDP or TCP?
*Thread Reply:* Hi Wolfgang, it is askings to trust the SSL certificate of the Jabber server. But your question about UDP or TCP triggered me. I think Jabber by default connects over TCP port 5222 for XMPP.
*Thread Reply:* https://ccieme.wordpress.com/2017/01/23/cisco-jabber-port-usage/
*Thread Reply:* is the certificate from the Jabber server an internal one? maybe trust the CA on device side.
*Thread Reply:* Well yeah, seems to be a firewall issue. Trying to get this solved.
*Thread Reply:* So all UDP relevant traffic must be reachable from the internet before Tunnel 4.0 hits.. Was that task clear how to publish all relevant UDP services?
@Nicolas SEVERE has joined the channel
Is there a timeline for Core 10.4.0.1 (or 10.4.0.2, not sure which one is the next) which fixes the issues in 10.4.0.0 and supports iOS 13?
*Thread Reply:* 10.3.0.2 is already available with the compatibility support for iOS 13 devices, in case you have not migrated to 10.4.0.0 already
*Thread Reply:* Good point thanks. But I believe the publishing of private apps for Android Enterprise without a developer account is only available from 10.4. I don‘t see the iFrame integration with 10.3.0.0
*Thread Reply:* @NicolasR what is coming out on 9/4?
*Thread Reply:* We've been holding on 10.4 due to a few bugs we found
*Thread Reply:* 10.4.0.1 planned for tomorrow
*Thread Reply:* Awesome, what's fixed in it? 😄
*Thread Reply:* Mostly iOS/iPadOS 13 stuff, but also the issue that occurred with 10.4.0.0 and sentry sync
*Thread Reply:* 10.4.0.1 is available - safe to install?
This week, i believe tonight actually
We have 4 admins on Core 10.3.0.0 - everyone is in the same space and has the same permissions. But only one admin can be chosen within an Event Setting (like System Event) for CC to Admins, the other 3 admins do not show up there. Any ideas why?
*Thread Reply:* Do they, the other admins, have a device registered?
*Thread Reply:* Events only work for users/admins with a registered device… (was dumb 5 years ago, still so unfortunately. Admins do not have a registered device normally)
*Thread Reply:* As Mark says, very annoying. As a workaround I just create a device registration for the admin but don't actually configure a device, just leave it pending.
*Thread Reply:* What, really? No, no admin has devices, even not the one who can be chosen. But I remember we had a thread in here where someone explained that events work with local user where the email address of that local user can be a distribution list. That local user has no device and I am 95% sure that events are getting delivered. I gotta find the thread.
*Thread Reply:* This workaround is no more actual for years now!! Look if the admin exists on the users list if not, import them here
*Thread Reply:* @NicolasR in the event you mean? Why would they not appear in the admin area if they are admins?
*Thread Reply:* Admins are user objects with admin permissions
*Thread Reply:* So regular admin should be in users list
*Thread Reply:* @NicolasR I am not sure what you mean. But in any case: for System events, you can only select “admins” when they have a device registered or a device registration. Admins without a device or registration will not be shown regardless
*Thread Reply:* If I look under Devices & Users / Users they don’t show up under Authorized Users.. most probably because they have not logged on yet (they are ldap accounts).. I can search for the via LDAP entities. @Mark Vonk the one which can be chosen has also no device registered and I can select him
*Thread Reply:* Admin here looks for any user in the database. Not only users with admin permissions
*Thread Reply:* But not sure how I can solve it..
*Thread Reply:* Add them manually in the authorized entities list
*Thread Reply:* I can only add local users there
*Thread Reply:* No, you can add users but UX sucks...
*Thread Reply:* 😂😂 I see no button for this
*Thread Reply:* Ok. so I have a local user. It is shown in the authorized user list, but I can’t select it. It does not have a device or device registration. Identical user, in authorized, with a device: can add it to the Event admins
*Thread Reply:* @NicolasR and how should I add it then? Via CLI?
*Thread Reply:* Nope, select the drop down LDAP entities
*Thread Reply:* Search for them and add them user portal role
*Thread Reply:* @Mark Vonk same here. I have created a local user, and I can select the local user in the event. What core version are you on? 10.3.0.0 here
*Thread Reply:* As soon you do this they will show in the authorized entities
*Thread Reply:* That user has user portal already
*Thread Reply:* You can use the account to log on once (for ex. on the Admin portal) and it will show up under authorized users. But I am still not sure this solves it. As said before, I can’t search for and/or select any account without a device registration or device. I am on 10.4
*Thread Reply:* My local user has also never logged on and still shows up as authorized. Giving up for today
*Thread Reply:* @Mark Vonk did you selected sms or push as delivery method to admins?
*Thread Reply:* No, but changed it. No diifference. Can search for and select user1 (has a device). User2 (without device) can’t be found or selected
*Thread Reply:* @NicolasR I have the same setup and this also works for me. But not for the ldap admins
*Thread Reply:* both user1 and user2 are local users for me
*Thread Reply:* Identical users except for the UserID. And user1 has a device
*Thread Reply:* Also did a short test.. local user with distribution list email added to a system event. Shut down Sentry. Under Logs/Events I see Sentry not reachable - status dispatched.. can’t check at the moment if it was really delivered
Hi Have you noticed an automatic launch of the Mobile@work version 10.4 application in Android Enterprise mode COPE
*Thread Reply:* Yeah… and since that time we are fighting with constant notifications in M@W with message “Device in compliance”. Already created ticket on MI support portal.
*Thread Reply:* Ok i will open a new ticket to enforce your case
*Thread Reply:* Do you see the same issue @Luc
*Thread Reply:* it s happen on android 9 and 10 other i d’ont know and in mode COPE and BYOD
*Thread Reply:* @NicolasR What you mean by “Android 10 it’s as per design”? Users are getting that message like every 2-3 mins…
*Thread Reply:* @Ladislav Blazek https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TOVUSA4 “MobileIron Clients (Mobile@Work & Go) will not be auto launched after Android Enterprise profile is setup due to changes in behavior in Android 10. The user will be informed through a notification, and the user will need to restart the profile app from the launcher icon or through the notification.”
*Thread Reply:* Thanks @NicolasR. My issue is right now on Android 9. Users are bombarded by notification every 2-3 mins, M@W is running. Not able to verify behaviour on Android 10… but as far I understand this should happen only in case M@W is killed/not started, right?
*Thread Reply:* We had that with SAM 8.5... probably the same issue
*Thread Reply:* You’re not the only one @Ladislav Blazek A customer reports it also
*Thread Reply:* hi ladislav could you give me your case number to refer it
*Thread Reply:* i will refer your case also in my case
*Thread Reply:* so i hear that it will fix in next version mobile@work in 10.4.0.1
*Thread Reply:* any idae when it will be deploy on google play
*Thread Reply:* next week the version 10.4.0.1 beta will be deployed, and normally this version will fix this issue i will give you some feedback when i have tested
@Ondrej Zerzanek has joined the channel
Has anyone run into the issue where apps that are configured to push upon registration are re-pushed after upgrading to 10.2.0.0 or later? Anyone aware of what version this will be fixed? Seems like a pretty big one. https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000GzQNSA0
*Thread Reply:* Never seen this issue in the wild anywhere. Might be that some Core had it, but issue did not present itself in a bad way.
*Thread Reply:* 10.3 creates new iOS MDM configurations for all registered iOS devices and pushes those to the devices. The behaviour you are seeing might be a result of this.
*Thread Reply:* 10.4.0.1 was released today. installed this morning, confirming so far that it resolves the custom app branding issue for apps@work and the sentry to core disconnect issue.
Has anyone a good source for a technical comparison between Intune and MobileIron? Looking for the advantages of MobileIron. There was one on emm.how published by Brandon. Not sure if this is still accurate. Here is the link: https://emm.how/t/common-issues-limitations-of-microsoft-intune/839
@MichaelM21 If you are a partner, there are some good battlecards of MI vs. Intune on the partner site. They are confidential in nature and MI does not like them to be shared with the customer. But you can extract what you need to do the comparison between the 2 platforms.
^ since I'm not a customer anyone care to shar?
Please be aware this content is quickly incorrect or outdated. The ones from MobileIron are already outdated. Intune moves along and so does MobileIron of course. The difference between the two depends on the use cases of the customer and the point in time. Unless you go into that much details and maintain it constantly, you can only compare them on a very high level, losing all the fine lines.
I agree, battlecards are not a good starting point. There is no comparison document and as Mark said, the best approach is to address each use case to focus on the few capabilities required
The differences are often also in the details. Such as is a feature beta/preview or live, are the features scalable, are they full or semi automatic, are the features interoperable or working only for some usecases, are there known bugs/limitations, ...
it's hard to articulate just how much using InTune sucks in a quantifiable way
You don't know until you're 17 "blades" in to a policy to change one small setting
or trying to delete a VPP'd app to find that that's just simply something you can't do in InTune
Also If Android Enterpise corporate enrollment is important, Intune is out of the game
*Thread Reply:* What makes you say Intune is out for AE?
*Thread Reply:* COBO still in preview after how many month/years... no COPE in sight! Only COSU with no user affinity.. So what DO do you pick? no way to enable system apps via Intune. No MX support for Zebra Devices via DA.. And while we are at it - no E-FOTA!
*Thread Reply:* I’m not as familiar with the limitations as you are. Just trying to understand the difference from what both Google and Microsoft are saying when calling Intune “AE Ready” (https://androidenterprisepartners.withgoogle.com/provider/#!/75 ) and the reality. Acknowledged that many use cases aren’t viable.
*Thread Reply:* I have a pretty long list what doesn’t work with Intune. I will share it once I finished it! 😊
*Thread Reply:* Before I dive into the weekend I’d like to share this one (again) because it always makes me laugh and cry at the same time - I will never understand this action of a non-compliant device: 😂😂🙈🙈
*Thread Reply:* You'll notice the only other vendor with a ** is Google itself.
So is the Outlook app on iOS, because there still is no caller-API support to be GDPR compliant
Outlook app on iOS sucks big time anyway, not just because of the missing caller-API...
Any release date on Sentry 9.7.2 which obviously will be needed for iOS 13 support due to the new info from MI
*Thread Reply:* MobileIron: It is not a requirement to upgrade. In Sentry 9.7.2 what changes is the self-signed certificate format, and Sentry 9.7.2 will generate compatible certificates with iOS 13 and macOS 10.15. As long as the existing certificates on Sentry meet the requirement from this KB, there is no need to upgrade Sentry: https://help.mobileiron.com/s/article-detail-page?urlname=iOS-13-macOS-10-15-Requirements-for-SSL-certificate-trust
*Thread Reply:* Thanks Almar! 👍:skintone2: So the Email that they sent out was to basic!
*Thread Reply:* There also some discussions that you need Sentry 9.7.2 if you use Access.
Heard yesterday that the messaging that went out from MI that 9.7.2 is required for iOS13 support was not correct.
SENTRY 9.7.2 IS NOT NEEDED UNLESS YOU USE SELF SIGNED CERTIFICATES OR LEGACY ACCESS! @here As the question came from everywhere today... better now that is said broadcasting 😂
Who is still using self signed certs anyway… Time to stop that BS
@Conradin Candrian has joined the channel
Has anyone successfully deployed Cisco Jabber for iOS and Android via mobileiron?
Anyone else experiencing issues with Cert Based Auth for Wifi with Core 10.4.0.1? Certs are being issued, but device can’t connect. Only new enrollments are affected - CORRECTION: no device is able to connect via CBA. How can I decrypt the M@W logs? Only via support? Pull client logs is only for Android
*Thread Reply:* I am not sure if the M@W logs will help at all…. If the device can’t connect, you will need the device logs (if Android, use ADB) and your WiFi controller logs to determine the issue.
*Thread Reply:* No generic issue with this on 10.4.0.1 I believe; I did not see any issues so far with client certs.
*Thread Reply:* The controller is not even relevant at this point because it looks like the configuration is not being applied on the device because choosing the Wifi SSID manually prompts for a username and password
*Thread Reply:* But you are right, could also be an issue with the controller that CBA is not working at all
*Thread Reply:* Having said that it worked fine before the upgrade to 10.4.0.1
*Thread Reply:* Aha, so the config fails to be applied. Or the referenced client cert can’t be found. Something like that. Do you see the client cert on the device at all?
*Thread Reply:* Yes, the client cert is on the device. Also the wifi config has the status applied on Core
*Thread Reply:* I am using the same SCEP for Exchange.. Exchange works though
*Thread Reply:* Scep for Exchange or for Sentry ? Because the Sentry is not really picky about the cert: as long as it’s from the correct CA, the sentry will allow it. Did the Core push new client certs? You mentioned all devices fail to authenticate. If so, the Core must have pushed all new client certs to all devices.
*Thread Reply:* Yes, SCEP with Sentry (KCD) for Exchange, but of course without Sentry for Wifi. But we referenced the same SCEP in the wifi and exchange config
*Thread Reply:* Yes all devices stopped working.. Have not verified if Core pushed out new certs. Have verified that new enrollments get new certs and they also fails.
*Thread Reply:* I would check that first. Because of the following: if a device, registered prior to the upgrade to 10.4.0.1, did not get new client certs pushed, the “old” certs are still on the device. Hence, these devices should not fail to connect unless on another level something is failing (WiFi controller for example)
*Thread Reply:* If the Core did push out new certs to all devices; there was a change in Core or something else that forced that to happen. That might point to a Core issue and in that case, I would investigate, with MI support, what caused that to happen.
*Thread Reply:* Thanks Mark, I will investigate further! 👍:skintone2:
*Thread Reply:* Ok I have picked two sample devices. Core has not pushed out new certs for these users and the cert is still on the device, but choosing the SSID on the device brings up the dialog for username/password. Will check the controller tomorrow, but it seems that there is an issue with the wifi config. Found out that a lot of other devices are suddenly in the watchlist of the wifi config but nothing was changed within the config - not my sample devices though
*Thread Reply:* I had to remove the trusted certificate names of the network controller from the wifi config even though they are still valid!
Customer is migrating to Apple Business Manager, finally. Has multiple MI Cores (3). Does this require multiple VPP tokens, one for each server? How the heck does this work? I am new to MI and VPP as well, I came from managing computers and at $oldJob we didn't use VPP.
yes, one VPP token for each Core. If the three Cores should use distinct VPP apps and license pools you can define multiple locations and generate one VPP token for each location.
*Thread Reply:* Is there more info within the error message? Whats your issue - prompting for an Apple ID?
*Thread Reply:* try refresgh vpp info to the platform
*Thread Reply:* usually means there is a licence allocation error
*Thread Reply:* Apple confirmed there are VPP issues that they are investing on
*Thread Reply:* Hopefully they are investigating 😉 🤣
*Thread Reply:* @NicolasR do you have a reference for that?
*Thread Reply:* not anything specific, just info I heard internally.
how long do you all wait at this screen before force rebooting it?
nvm guess all i needed to do was message this group and it would reboot
Is anyone familiar with this error generated by MobileIron syncing DEP devices? "Check updates for DEP Account 'xxx' failed with reason : oauthproblemadvice Bad Request."
are one or more certificates in the file?
In which file to you mean? We use KCD with exchange. We reference the SCEP in the email+ config.. The same for native mail with the Exchange config, which works. Only email+ fails.
*Thread Reply:* havent seen this at a scep profile yet. We had a very similar problem with smime certs at email+. Seems it does not like all types of certificates/parameters.
Just had a colleague refer to MobileIron as Mountain Iron! 😆
Yea, MountainIron is the new brand, will be announced soon
That’s great. I assume they were confused with Iron Mountain
Hello @here, question on Access Delegated IDP (ADFS + O365), when deploying Access, you only have to set a Delegated pair with ADFS and run the script on ADFS ? is that all for configuring the flow traffic ?
*Thread Reply:* Hi Jean-marc, as far as I am aware - yes
*Thread Reply:* I implemented this in our staging environment -> you need to make sure that you got the certificate mapping in place - also the powershell script might add some further lines to the onload.js for the ADFS Web Theme that you are using for difference between Mobile and Workplace
*Thread Reply:* Thanks Armin, up & Running :)
@channel For EMEA partners; please check if you have recently received invites/registration for the upcoming EMEA partner events in October/November
I think @Mirko Bülles mentions EMEA partners events, not US/APJ
Has anyone seen the behavior with Android Enterprise Work Profile that for some Apps it just states "Waiting for Download" - it happens in Android 9 Work Profile with an Oppo Device - and also with Android 10 on a Pixel 3 Phone. I see this behavior for Docs@Work and some other Apps Other apps that should be silent installed are working - but as soon as it tries to download Docs@Work it just blocks everything, other apps are not being downloaded and it just states "Waiting for Download" and spins endlessly On a Samsung S10 with Android 9 is working without an issue.
*Thread Reply:* Nope - Tried to reboot - also retired and performed a new registration
*Thread Reply:* behavior stays the same
*Thread Reply:* Sometimes I can cancel the Docs@Work download and it jumps to the next app - but not always - and still docs@work never showed up on the oppo or pixel device
*Thread Reply:* I wouldn't count on anything working properly with oppo/Xiaomi/related, but on pixel that's unusual. Indeed cancelling the stalled app gets things moving for me, and it's not limited to WP.
*Thread Reply:* Yeah - I am not sure if I am hitting this issue on Pixel because of Android 10
*Thread Reply:* Because on Samsung with Android 9 everything is working - and I am also not a fan of those oppo devices
*Thread Reply:* but from Pixel I would have expected that this should be working without an issue
*Thread Reply:* Does it look ok on https://play/google.com/work
Is anyone using a proxy with web@work on iOS. I want to send all the external traffic through a proxy, the tunneled services don’t have to go through the proxy. Is there a way to achieve that?
*Thread Reply:* I think you can do this with Advanced Traffic Control Settings on Sentry -> there you can specify a proxy and also specify which traffic should go through sentry directly allowed and what traffic should go through the proxy
*Thread Reply:* I am not sure if this is what you are looking for
Guys one of the user is having challenge while connecting iPad to Mac, quicktime is not recognizing iPad..user wants to screen sharing from ipad to mac..user have full USB access to Mac..any specific setting need to be done in Mac or ipad
*Thread Reply:* Is this a DEP device where perhaps the USB pairing is disabled? Can you pair the iPad to the Mac?
getting this error on about every 10th device generateXML: Client: 1073753189 -- No MDM device certificate found (event 201276587)
*Thread Reply:* Sounds like a DEP deployment in which the agent is deployed by VPP and hasnt been activated within 24h of enrollment
On iOS 13+, I can save managed email attachments from Native Mail app to 'Files App'.Is there a way to restrict this besides using Sentry attachment control?
Depends on how you set the managed > unmanaged apps and unmanaged > managed app restrictions. If you do not allow from managed to unmanaged, in theory, it should not allow you to save it to files (because unmanaged). If it does, I assume it’s a bug..
@mahiroux @Mark Vonk there is known issue with iOS 13.0 - Managed data can bypass Open-in restrictions using Files app - should be fixed in iOS 13.1 beta 2 - see https://help.mobileiron.com/s/article-detail-page?urlname=MobileIron-Guidance-on-iOS-13-iPadOS-13-Compatibility
@Ladislav Blazek With iOS 13.0,managed data from app-connect apps such as Docs@work were able to save in to Files app,that is resolved in iOS beta 13.1 beta2,however i am still able to save managed documents from native mail app onto Files App.
@mahiroux yes that is true. But try to open document from the Files app. You will notice that saved document is still managed and it is possible to share/open it only to/in managed apps. I just tested it on the latest 13.1 beta.
@Ladislav Blazek You are right.Documents are managed even if it is saved on files app.Would this documents become unmanaged if EMM is removed from the device?
Hi, when enrolling an Android Enterprise COBO device using the afw#mobileiron.core method the drop-down menu for (quick) settings is not available (tested both on Nokia 8 and Samsung XCover 4s). When enrolling the same devices using either NFC bump or QR code does have the drop-down options available. Anyone know if this is a MobileIron or Android issue?
*Thread Reply:* post-provisioning but pre-enrolment?
*Thread Reply:* or post enrolment with the kiosk launcher and lock task active?
*Thread Reply:* Post provisioning, no kiosk.
MobileIron I'd assume. Check if the same default policies are being applied (via ticket)
Anyone notice that on iOS 13 that Apps@Work doesn’t fit the screen anymore as full screen web clips show the url on top in new UX? This means the bottom icons on a phone without a button (X, XS, etc) can’t easily tap the bottom row of icons
Are there any specific Firewall exceptions for Cloud Notification Service with Email+ on iOS with Core? (not Realtime CNS).. it looks like CNS is not working when a device is connected to our company wifi. 4G connections seems to work, CNS triggers within the 300sec.
*Thread Reply:* Known issues on going: trust.mobileiron.com
*Thread Reply:* appears to be fixed as per internal comment since 3:33 PM but need to rely on official status to be sure. 😉
*Thread Reply:* Oh shit.. ok thanks totally missed that ✌️:skintone2:
*Thread Reply:* Ok we found out that the notifications do not arrive outside of business hours. The work hours feature is disabled within Email+, but still no notifications arrive at the evening. Opening Email+ the next morning brings all the emails. Any ideas?
Anyone else having to reenroll devices that came from a backup still?
*Thread Reply:* iOS backups ? DEP or not ? if so, this has always been a big issue. There is a product bulletin within MI about it and in the comments everybody has its own recipe, which work for some and not for others...
hi team, have a problem. I have a CORE 10.3 and a SENTRY 9.6.1. And I use Android Enterprise configure. The problem happend when use docs@work. In it, I have configure a networkdrive, It can see in docs@work but when I try to access a metadata error happend "error downloading metadata:Invalid response from server was obtained. Contact your administrator". The Sentry is a Standalone Sentry.
*Thread Reply:* Do you also have MobileIron Tunnel app configured on the device?
*Thread Reply:* No, is it necessary? I think is only necessary configure in docs@work app: AppTunnel rule {"sentryHostName": "https://xx.xxx.net", "sentryPort": "445", "domainPattern": ["*. *"]}
*Thread Reply:* Tunnel app isn’t required. Sentry port try 443 “sentryService” appears to be missing, following sentryPort, such as “sentryService”:“CIFS”
Have it working fine with Kerberos auth
*Thread Reply:* Debug on Sentry will confirm if device is hitting it
*Thread Reply:* thanks I test port 443 and 445 with the same result. Finally it works, without tunnel app, without “sentryService”:“CIFS” in JSON. I don't know how. I hate JSON!! but thanks for all!!
Hello guys @here, Is possible to automatically install WebClip on iOS ? I only found configuration to push it in the Apps@Work... (Core 10.4) Thanks, have a great day
Policies & Config > Configuration > Add new > iOS > Webclip
arf Using policy instead of WebApplication !
Anyone @here remember where to change the setting that prevents the users from being notified in the app about a privacy change?
Also why is this crap always blank when I pick more than one device!!??
Hello @here, any idea on how to enable system apps on the personal side (COPE) like Gallery & Camera on Samsung ? Theses 2 apps are only displayed on the work profile.
*Thread Reply:* I only got this working by enabling all system apps in KME.
*Thread Reply:* Thanks, I just tried and you're right, Camera & Gallery are displayed in the personal profile only if you enable all system Apps in KME...
Hello @here, is someone using Help@Work in COPE mode on Android Enterprise (Fully managed device with work profile) ? The Mobile@Work client being on the personal profile, the request for remote session is asked on the personal side ! So it asks for the user to download quicksupport on the personal Play Store...
trying to help a customer on mobileiron, however as i've never seen the portal im hoping someone can help here. Where would i go to see a list of devices that have been been synced from the customers ABM account? For example in WS1, you go to devices > lifecycle and see them in there?
I need to change the apple id of the mdm certificate on Core because the apple id doesn’t exist anymore and I can‘t renew the cert. If I use a new cert, do I have to reenroll every iOS device?
Yes, but Apple enterprise support can help you avoid that.
It looks like they can’t. We have raised a ticket with Apple and they said there is no way to restore the apple id, because it was deleted month ago
anyone @here having users on iOS 13 getting a message about downloading the rest of the message first before replying or forwarding?
*Thread Reply:* i did have this issue with the beta, but 13.1 GA seemed to resolve this for me
*Thread Reply:* I have noticed this in 13.1 as well.
*Thread Reply:* Yes I've seen this personally in the beta and still with 13.1.2. Also noticed an increased uptick on when you reply it trims the body
*Thread Reply:* i was getting all of this in beta versions (every one since 13 became available) but im not getting this on my new iPhone 11 running non beta software
*Thread Reply:* exchange only or IMAP email too?
*Thread Reply:* any postings about this? The exchange guys are pointing the finger at Mobileiron
*Thread Reply:* definately not MobileIron, im just using nativeActivesync (although as mentioned no longer seeing the issue)
*Thread Reply:* we still are… Wonder if i need to update the users and setup email again
*Thread Reply:* We are seeing the issue with a managed mail profile directly to Office 365 (no sentry in the mix) so that should rule that out
I’m looking for a document how to get MI Tunnel working with iOS SSO/CBA with local CA for Safari. I think I’m almost there but just missing the last steps to get it working.
*Thread Reply:* did you import the MI Root cert into your NTAuth store?
*Thread Reply:* certutil -enterprise -addstore NTAuth MobileIronCACertFilename.cer
*Thread Reply:* needs to be run by an Enterprise Admin I believe
*Thread Reply:* also what's your SSO config in MI and Tunnel SRV key pair look like?
*Thread Reply:* I've spent more time on this than I'd like to admin 🙂
*Thread Reply:* yeah id be using customer PKI/SCEP before adding local CA to the NTAuth store
*Thread Reply:* Kiran I did that but stil no result on the device
*Thread Reply:* this is my SingleSignOn config
*Thread Reply:* and the SRV record in the tunnel
*Thread Reply:* i think its in the certificate or some thing on de domaincontroller it self
*Thread Reply:* in the event manager i see a failed smartcard logon due to a certificate error
*Thread Reply:* Which local CA are you using now? MI Core Local CA?
*Thread Reply:* What do your safari domains in the VPN profile look like?
*Thread Reply:* have you tried in the SSO config the URL prefix to be http://.mmsdemo.nl & https://.mmsdemo.nl
*Thread Reply:* also try removing the application identifier to rule that out.
*Thread Reply:* for example if you're testing with a webclip the identifier is different I believe
*Thread Reply:* @Kiran Patel I'm using MI Local CA and changing the SSO config URL to http//.mmsdemo.nl is not allowed to do so i changed it to http://**.mmsdemo.nl but it does not change anything. I am still be prompted for username/password. if i leave out the certificate in the SSO Config the SSO prompt is showed. When i fill in the password i will be signed in.
*Thread Reply:* in the VPN in the safari domains i have mmsdemo.nl filled in.
*Thread Reply:* everything is working VPN and SSO except for the CBA part
*Thread Reply:* for Safari domains do you have MI Access with wildcard split tunnel?
*Thread Reply:* if not you may have to specific the DC's in there and specific web servers
*Thread Reply:* I believe we had the same issues with Core as local CA, SCEP via NDES works fine. I believe there is a document somewhere that for iOS SSO it is not recommended to use the local CA!
*Thread Reply:* are you testing this on a device that has iOS 13.2 Beta 1 by any chance? I actually recently faced issues with that but works fine for me in iOS 13.1.2
How can I assign user portal permissions to an OU? We want to assign User Portal permissions to our entire domain users, but without the use of groups.
*Thread Reply:* Thanks, yes 🙏 - and your „test“ is the name of the OU, right?
*Thread Reply:* Yea, its blank if you open it without an entry inside the search list. Took a test OU for the screenshot. 🙂
Anyone successfully send a PNS or SMS using the MI Core API? Trying the following but having an issue
postman returns an emtpy value and powershell errors out on a 405 using the Invoke-RestMethod to the API endpoint
@Kiran Patel use APIv2 and Post method. Correct endpoint is: /api/v2/devices/action?adminDeviceSpaceId=1&actionType=SEND_MESSAGE
Thanks - found the updated API documentation for this as well!
Is it possible with Email+ (iOS ans AE) to attach pictures but choose the size of the attached images like with the native client?
Is it possible with MI Access to use a CA rule to limit app access based on Bundle ID and not User Agent?
*Thread Reply:* Do not think so. The user agent is part of the saml request, bundle ID not.
*Thread Reply:* some apps pass the bundle id in the user agent
*Thread Reply:* so based on that you can create rules
*Thread Reply:* Do you have an example of an app that does that?
*Thread Reply:* salesforce I think, let me check
*Thread Reply:* my bad. It’s not the app that sends that but MI Tunnel
*Thread Reply:* Here is the UA for Salesforce app: SalesforceMobileSDK/7.0.0 iOS/12.4 (iPhone) Chatter/220.3(6138468) Hybrid uid2B90ADF6-05B4-4532-8BAD-6701CE66C82B ftrMM Mozilla/5.0 (iPhone; CPU iPhone OS 124 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 iPhone/12.4 iOSiPhone Salesforce1/220.3(6138468)
*Thread Reply:* MS office apps send bundleid but it’s not in user agent
*Thread Reply:* Any way to have the CA policy look at BundleID rather than UserAgent?
*Thread Reply:* I tried that - looks like this but doesn't seem to work
*Thread Reply:* Your issue is because of the wildcard character I think. You should just put “com.microsoft.office” and select partial match
*Thread Reply:* I’m on a call with a customer and looks like the bundle id is not being reported every time. I guess we report that when “CertSSO” is enabled (the zero sign on experience for mobile)
Hey @here today I started get a profile invalid on enrollment on some devices (2 so far) I can enroll other devices with no issue but 2 of them today will not enroll. New devices non dep
Are you sure the Timezone was set correctly, and thus, the device had the proper time set? That would cause an invalid profile (if only some devices have the issue)
Has anyone tested APN deployment (cellular) for an iOS eSIM with current Core version? That is not working for me, so I guess this is not supported yet
*Thread Reply:* No we use custom APNs with our physical SIM cards and we deploy the APn via MobileIron. Now we want to do the same with the eSIM devices. Not sure if the provider has to put that information within the QR code for the setup of the eSIM or if we can continue to use the APN deployment via Core
*Thread Reply:* I do not think that is possible. The cellular payload does not mention anything about eSim at all. Maybe they have set it up very generically, and works with any voice/data service, but I doubt it.
*Thread Reply:* shouldn't the APN policy apply to eSiM also. Why would it be different?
*Thread Reply:* That is exactly what is was wondering. Apparently it is not working. But the cellular payload does mention: A cellular payload configures cellular network settings for the user-selected data SIM on the device. I have no experience with the eSim and I am unsure what Apple means by "user-selected data SIM" in that respect.
*Thread Reply:* The user needs to select which sim (eSim or physical) should be used for data. That sim could then be configured with the policy
*Thread Reply:* Yes thats what I thought too. But we have only the eSIM active on these devices for now, and the APN pushed from Core is not being configured on the device.
@Nico Hermeling has joined the channel
hi team, I have problem with per-app tunnel. I have configured Tunnel App. In terminal, the app show The session is started and connected with the sentry. I want to use chrome like tunneled application (Configuring in admin portal in Tunnel App: AllowedAppList com.android.chrome ) but when I stop the session I can surf the Internet without problems. Core in versión 10.4. Android Enterprise.
*Thread Reply:* What is the problem? That you are able to go to the internet without Tunnel? Or something else?
*Thread Reply:* Looks like when tunnel is disabled, Chrome has full access to the net where the expectation is it’d be unable to do anything if tunnel is off?
*Thread Reply:* hi team, When Tunnel is disable, i can go to internet.
I think is put in chrome
AllowedAppList com.android.chrome
SplitDomainsList
SearchDomain
If the tunnel is disable, you can not use chrome. Is this incorrect?
*Thread Reply:* That is how it indeed works.
*Thread Reply:* If you want to force it through Tunnel, tunnel should be set to Always On so that the user can't disable it
*Thread Reply:* I activated this in the enterprise profile with the same result
a customer has just said the below statement to me and im a bit baffled, is this true? With Mobile Iron we have noticed they replace the phones existing bootloader with their own so if there is no sim card in the phone when the device is activated then the device is blocked/not activated. Does Samsung replace or modify the bootloader when activating a phone on the Samsung KNOX MDM solution?
*Thread Reply:* Could it be that Zero Touch Enrolment has been set up on the phone?
No the bootloader is never replaced. Not with Mobileiron or Samsung. Weird statement(s)
it was a very weird statement indeed - i was pretty sure it wasnt the case not sure where and how that got put into their head...
Zero touch / ABM would be my guess as well, unless it's some super secret government program where the government requires some sort of custom bootloader.
but if that was the case they would surely work with the OEM to build a bootloader based on their requirements. Thats how i would see it anyway. Samsung will pretty much do anything you ask them do for a 10,000+ device opportunity
is it possible with MI Cloud to make admins sign in using MFA? is there any in built security like in WS1 that can send a one-time session token either via SMS or Email? Or is it possible to use existing iDP like ADFS or OKTA?
*Thread Reply:* You can use Pwd+PIN (User Settinghs)if you haven't integarted an IDP. If you have, obviously you can use MFA from there
We have support for old Samsung custom rom systems but not sure this still exists @Ajay Patel today this statement is wrong for me
iOS Activation Lock Bypass Code - do I enter this code instead of the unknown Apple-ID password on the device?
*Thread Reply:* Select the iOS device on Core > Actions > iOS only > Send Activation Lock Bypass Code.
*Thread Reply:* You can disable the activation lock if your devices are supervised. That's a bit easier
*Thread Reply:* Why would I want to disable the activation lock?
*Thread Reply:* Because you do not need it on corporate supervised devices... you have a Wipe command and the devices are DEP I assume. So the activation lock does not add anything
*Thread Reply:* If lost you can put it in Lost mode...
*Thread Reply:* So find my iPhone with its activation lock is just an annoyance and does not add any extra protection.
*Thread Reply:* But wait.. our devices are corporate owned (and DEP enrolled) but personal use is allowed. So we can (and we did) end up with active private apple ids on the device. Sure we can wipe it via Core, but the private apple id would still prompt after it comes back up, right? Or will the DEP enrollment override this?
*Thread Reply:* With supervised devices, the Activation lock is per default turned off. Are you on MobileIron Core? If so, check your Security Policy. It will have an option to turn on/off the activation lock. Now it seems to be turned on. You can turn that off. It still allows the user to use the iPhone for personal stuff. Only his/her Apple ID will not be associated with Find my iPhone, which enables the activation lock.
*Thread Reply:* Yes. find my iPhone still works even if you disable activation lock for your DEP devices. No need for activation lock in the enterprise
*Thread Reply:* @Mark Vonk ah now it seems a bit clearer! Thanks.. yes we are on Core and the Activation Lock is ON within the Sec Policy. Just because we thought we will need it for the personal apple ids. Did not now that the find my iPhone feature is not relevant for personal apple ids for DEP enrolled devices! Thanks!
*Thread Reply:* Yes. Remember : find my iPhones ≠ activation lock. The first may or may not enable the latter
Access and GSuite apps on Android. Last I recall, Google’s apps would not use/allow 3rd party apps to route auth traffic through the Tunnel (thus killing the Access/Auth flow). Does anyone know if that is still the case?
The last time I tested this was with VMW’s Tunnel, but I believe the result will still be the same
Is there a way to enable a Kiosk mode for Windows 10 devices with MobileIron Core? I am guessing it can be done via MobileIron Bridge with the use of Powershell CMDlets like Set-AssignedAccess.. any experiences?
*Thread Reply:* Yes but might need some manual SyncML work... Good luck then!
*Thread Reply:* I’ll advise to ask PS to do that
*Thread Reply:* Thanks, I will look into it :female_technologist:
*Thread Reply:* Am I blind or is there no documentation how to setup Bridge anymore?
*Thread Reply:* It’s this super intuitive guy here https://help.mobileiron.com/s/mil-productdocdetailpage?TOC=Contents-1312028976&URL=MobileIron-Core-10-5-0-0-Device-Management-Guide-988678228&selectedversion=10.5.0.0&Name=MobileIron%20Core
Looking for good resources on how to configure iOS Single SignOn configuration with client certificates. We cannot seem to find any documentation what the client certificate needs to contain for AD to be able to correctly map it to the user. We set the NTPrincipalName SAN to the UPN, the cert is issued by an AD PKI but authentication fails.
*Thread Reply:* did you also enable cert based auth on the domain controllers ?
*Thread Reply:* check with "certutil -DCInfo" as domain admin
*Thread Reply:* Always test with username password first and then enable cert later 🙂
Is there a setting (KVP?) to prevent Email+ 3.x for iOS to sync the „recently used“ Outlook contacts?
*Thread Reply:* I’ve not seen one recently. @NicolasR might have a better idea since it’s a MI product.
*Thread Reply:* Right, also not seen anyone in the documentation. But in the past I was provided with hidden KVPs which have not been exposed in the docs! 😜
*Thread Reply:* Nope, nothing either internally
If I wipe an Android device will the SD card also be erased? I doubt that. We have a new use case where users use the SD card and it should be able to erase it over the air - I doubt that there are APIs for that. The only solution I see to protect the SD card is to encrypt it.
@Jani Kostiainen has joined the channel
@Wannes De Boodt has joined the channel
*Thread Reply:* I think that makes MobileIron the first to market with “Z-FOTA”? Nice
*Thread Reply:* This part is confusing. The article is supposed to announce support for LifeGuard OTA but then it takes a turn by saying that only MX via OEMConfig is supported and that LifeGuard OTA is coming in the future?
*Thread Reply:* MobileIron will support Zebra FOTA as soon it’s available from Zebra (early access in R67 for Cloud and GA in R68/CORE 10.6 in January). From what Zebra told us we are the first in market
Anyone still using self-signed SMIME certs with iOSEmail+? It looks like after the release if iOS 13 this stopped working. I am not sure but I believe there was something said that self-signed is not supported anymore?
*Thread Reply:* Correct. Self-signed are not supported with iOS 13 and macOS Catalina.
*Thread Reply:* https://support.apple.com/en-us/HT210176
*Thread Reply:* Thank you @Jason . In the article you provided I cannot find anything about self signed is not supported. These requirements could also be fulfilled with self-signed certs, could they not?
*Thread Reply:* Ah found it - its the EKU which is not present with private CAs 😜
*Thread Reply:* Self-signed certificates been deprecated by Apple for a while now. For example, iOS 10.3 tightened up on this futher: https://support.apple.com/en-us/HT204477
*Thread Reply:* But presumably in this case you’re using a local (self-signed) CA to issue these leaf certs for the users?
We deploy an additional mail account to all the iOS devices (native mail app) where we sync all the GAL contacts so the caller id also works for the GAL. Is there a payload to prevent users from editing these contacts or adding new contacts? Some user change existing contacts on a regular basis.
*Thread Reply:* I think I found the answer within the AC:
I gotta test if this will also prevent the modification of other accounts or only this specific one!
*Thread Reply:* Ok so this prevents the user from turning ON/OFF the services within the settings, but the contacts can still be edited. I believe there is no payload for that. Gotta look if there is a way with Office365 to make the contacts not editable
*Thread Reply:* Also the problem is - if one account for outlook.office365.com is configured you cannot add a second one with the same fqdn. Is there a working alias for that? outlook.office.com doesn’t work
*Thread Reply:* I dont get it why people think it is important to see who is calling if the person is not important enough to be in my contacts... But maybe one of the GAL Sync Apps out there is an option? They are read only afaik.
*Thread Reply:* You are absolutely right - beats me! Yes I am looking into CiraSync and co. Also I am currently trying to remove all the permissions via Powershell (Add-MailboxFolderPermissions) for the contacts - has no effect. Can still edit items on the iPhone
*Thread Reply:* FYI, CORE 10.6 will support these payloads
*Thread Reply:* @NicolasR you mean the payloads of my screenshot above or payloads for prevent editing contacts?
*Thread Reply:* it’s about prevent editing account
*Thread Reply:* Do you have any details on that I could share?
Who knows a document about the magic number from mobileiron for DEP Backups from iOS Devices ?
*Thread Reply:* What magic number? I don't know any recent document from MI on that.
Has anyone using Adobe reader as managed app.Managed app configurations are not working for us.
Is there any way with MobileIron Core and iOS Native Mail app to use email signatures? Except from transport rules on Exchange or third party tools I don‘t see a feature on Core (except with Email+ I guess) to implement that. Anyone using something similar?
*Thread Reply:* You can set up a Mail config to push a plain text signature. no images, html or variables.
*Thread Reply:* I don‘t see an option for email signatures within the Exchange config on Core to achieve that.
*Thread Reply:* Im not sure if its Email+ only or general setting, dont have an MI Core at hand
*Thread Reply:* afaik email+ only. Signature for Active Sync is a planned feature for Microsoft Exchange but don't ask me when it will be available.
What exactly is the user experience on an iOS device when I check the option „Use OAuth for Authentication“ within the Exchange config on Core? Will the Safari view controller prompt automatically for authentication on the IdP like ADFS? Or has the user jump into the mail app or the settings?
*Thread Reply:* When the setting will be pushed to the device you’ll get a notification that asks to go in settings to set the password
*Thread Reply:* then you have a safari view that prompts and if ZSO is enabled, the view closes after few seconds
*Thread Reply:* Ah ok thanks for the details.. we don‘t have MI Access so no ZSO yet. So the users will have to authenticate manually for now, no big deal for a pilot. The only hurdle could be that the users will not go into the settings or will not find it
@Thiemo Scherle has joined the channel
Hi all. one of our customers has a internal and an external DMZ. They want to use Sentry for EAS with one Sentry interface in the public DMZ and another one in the internal DMZ. Is that both supported and possible?
*Thread Reply:* Just configure and enable the second interface. Make sure you add the correct routes (and default route) and it should work like a charm
*Thread Reply:* I can confirm it works as expected. Thanks for your help!
@Florian FERRAND has joined the channel
How can I enable MAM with an existing MobileIron Core - MAM-Only will not work because I cannot disable the MDM profile. Is there a way like with AppStation? Or will I need another Core instance?
*Thread Reply:* With core its EMM/Appconnect or MAM/Appstation. You will need a another Core.
Anyone tried MobileIron Help@Work (Teamviewer) with Android Enterprise ?how was it ? nice experience ?
is MobileIron Access down (tenant eu1)? I can reach the admin portal, but federation seems corrupt on at least 2 customer tenants now
There was maintenance on the EU1 Access system this early morning, but it has completed.
just logged an urgent support case. here is their feedback: Thank you for reaching Mobileiron support. I will be assisting you on this issue.
Our SRE has identified the issue and currently working on the same at highest priority. I shall get back to you once it is fixed.
its down, you can subscribe notifications when cloud components are down: https://status.mobileiron.com/
ok @here maybe i am losing my mind….I can not force vpp to sync.. When I hit actions and update licences the progress bar doesnt come up it just shows my apps.
*Thread Reply:* We are having similar issues. We were not able to have this fixed, yet. And automatic sync does not work for us.
anyone here use assemble to run install application reports? I would like a way to match devices to be a member of 2 labels to ensure they are recent devices and doesn't include stale devices (out of compliance, not checked in recenlty, etc). Anyone do something similar and have a good way of doing this with assemble?
if not with assemble powershell works too if you have a script. 😄
We want to use SMIME with iOS native client (MI Core).The user needs to upload the cert within the SSP. So I have created the user provided config, referenced this config in the Exchange config within the SMIME section and applied both to a label. The user cert (external trusted) is visible on the device and also enabled with the advanced settings of the mail account. But If I create a new email I receive the error „account not setup for signing..“.. found nothing in the Mobile@Work logs, still have to check the xCode logs. Any help? Maybe the cert doesn’t fit the new iOS requirments
*Thread Reply:* Is the Cert itself enabled for encryption and signing? Is signing and encryption configured in the Exchange Config? What if you disable signing and only leave encryption? Is the Cert also Apple trusted? I would push the Root Cert of the CA regardless of trust. Are the pub certs of the recipients avaliable in the GAL?
*Thread Reply:* You bring up very good points. 1.)The same Cert is already being used on Outlook desktop, so I believe signing and encryption should be in them. 2.)yes, both enabled in the Exchange config. 3.)gotta test if encryption only works 4.)verifying that if it is Apple trusted 5.) so the root cert of the external trusted CA, ok gotta check that. 6.) not sure about that.. is that relevant if the error comes up with choosing „compose new email“.. not sending it, getting the error before that.
*Thread Reply:* 6.) This problem should become visible when you try to add recipients to an new mail.
*Thread Reply:* We found out that the validity of the cert is 3 years! Regarding to the Apple requirements for iOS 13, this is definitely the problem! 😳 also I can’t see id-kp-serverauth OID in the details of the cert! Not sure If I should see it, or if it is only visible showing the details via OpenSSL
*Thread Reply:* Afaik in either case, the private key must have the “Secure Email” extension OID (1.3.6.1.5.5.7.3.4) as an EKU, and (for email signing):
*Thread Reply:* afaik 3 years should not be the problem, since this Apple requirement on that is only for Server Auth not for Client.
*Thread Reply:* Ah ok thanks.. By any chance you have the client requirements outlined by Apple? Obviously I have the wrong one.
https://support.apple.com/en-us/HT210176
*Thread Reply:* afaik Client Certs only need to be trustworthy for the device and the Server they using them agianst need to comply https://support.apple.com/en-us/HT210176 and also trustworthy to the device
*Thread Reply:* did you find the problem?
*Thread Reply:* No not yet. Still investigating
For anyone that is using SCEP profiles with an internal Microsoft CA, how do you handle manual certificate revocation?
Our certcheckjob is showing 1000’s certs in a ‘Manual Revocation state’. According to MI support there is no mechanism for SCEP to communicate revocation back to the Microsoft CA. So they must be manually revoked on the CA and will be purged from Core DB during the next certcheckjob run.
Our PKI team doesn’t want to revoke thousands of certs on their CA. They fear it will severely impact CA / CRL checking performance.
*Thread Reply:* @Phil Hackett they are right in that revoking certs will make the CRL grow. Office365 just recently "finally" documented that 20mb and 10seconds are your limits for CRL in Azure... This would be around 400,000 certs....
*Thread Reply:* BUT never issue certs without a procedure for revoking them again... you also don't print paper with your password and hand them out
*Thread Reply:* Thanks @Peter Mohr . Good info regarding the CRL limits. We’re looking at using API’s to automate certificate revocation on CA side.
*Thread Reply:* https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started
Hi everyone! Question about MobileIron and a new implementation of Android Enterprise… We have a few apps that we deploy to Android users by downloading the .apk from the Google Play store and importing into the MobileIron Apps@Work catalog. We are now implementing Android Enterprise and trying to use the managed Google Play store, but when we try to add the app, it gives an error stating that the app already exists. I’m hesitant to delete the .apk as I think it will start removing the app from the devices. We have a ticket open with MI already, but I wanted to see if anyone has encountered this before. Thanks!
*Thread Reply:* This isn't really a good approach to app management.. without deleting the apps I'm not sure you'll be able to do too much. Perhaps create a new space and properly separate AE from legacy? I've not touched MI for a bit though so @NicolasR any tips?
*Thread Reply:* On Core spaces can do the job. AE must be on the global space
*Thread Reply:* We’re on Core but not utilizing spaces. Can you send me a link to the documentation?
*Thread Reply:* Which one are you on? Just got a message NA2 is having issues.
*Thread Reply:* @Phil Burk You should subscribe to updates: https://trust.mobileiron.com Yesterday there was an outage on NA2 yes.
Did mobile iron support user enrollment on iOS 13 ?
*Thread Reply:* not yet afaik. Only JAMF and Intune(partially)
@Julian Brennan has joined the channel
Android Enterprise related: Is it possible to enroll a work managed device using a QR code with a token instead of using a user (like in MobiControl, Google and Intune)? If so, where do I find the token to add to the QR code?
*Thread Reply:* It’s definitely possible using the MobileIron Provisioner app. Just download it from the Play Store and you can create QR code’s for enrolling Work Managed devices.
*Thread Reply:* I've already downloaded the Provisioner app - It's from that app, I'm prompted for a token (and host name or user name), but I don't know where to find it in the console?
*Thread Reply:* Are you on Mobileiron Cloud or Core?
*Thread Reply:* Ok it’s the “bulk enrollment” menu
*Thread Reply:* Then you create your CSV and it creates a unique token for you
*Thread Reply:* So you have to know which devices will enroll first?
*Thread Reply:* are you talking about the bulk enrollment part of the provisioner app?
*Thread Reply:* or is there somewhere on the dashboard/console, where I can find it?
*Thread Reply:* Bulk enroll is to provision devices based on a S/N or IMEI yes
*Thread Reply:* You can ask for credentials and depending on options it can be a Pin or password
*Thread Reply:* ahh - ok. So MI needs to know the device before accepting the token within the QR when enrolling?
*Thread Reply:* This unfortunately makes it a bit more cumbersome than the competition Intune and MobiControl 😞
*Thread Reply:* For some of my setups, it makes good sense to have devices that aren't related to one particular user - Rugged devices and kiosk devices..
*Thread Reply:* where do I create the CSV to obtain the token from?
*Thread Reply:* ahh - I think I found the Bulk enrollment tab and have downloaded the csv template.
*Thread Reply:* So no, MobileIron does NOT need to know the device before
*Thread Reply:* We just need to know if you want avoid any user prompt and enroll the device with only the QRcode
*Thread Reply:* Basically if you can share the use case you try to achieve we can see how to solve it 😉
*Thread Reply:* he he - thanks! I just want to be able to enroll the devices into kiosk mode with as little as possible user interaction. Normally I'd just add an enrollment token into the QR code and the management system will figure out which tenant to send the device to and which configuration might need to be applied.
*Thread Reply:* I was expecting to be able to point at a particular device group from a given token, but I still need to figure out where to generate/find the token to add to the QR (if this is the way to achieve this in MI) 🙂
*Thread Reply:* The use case would be decentral staging of devices that have been shipped directly to a depot or warehouse and the local IT should be able to enroll the devices by a scan of a barcode.
*Thread Reply:* I guess it should be the same token as used when doing zero touch as the json is pretty much the same 😉
*Thread Reply:* You should use a “technical” user account where all your warehouse devices are associated to. These devices will have a QRCode with the username and password for this account
*Thread Reply:* Important to note is if you are using Android enterprise, check the “device account” setting in the user account settings. This will avoid being limited to 10 devices per user account
*Thread Reply:* So I can't use a token instead of a user and PW? Do I need to have the username and pw inside the QR code?
*Thread Reply:* In that case, the user staging the device will always need to know the password of the 'technical user'?
Has anyone attempted to customize the status info field within M@W for iOS? I would like to add the actual reasons but can’t find where to edit it within Core.
*Thread Reply:* Haven't tried in a while but I believe this may be in the event center?
*Thread Reply:* Yeah, I tried event center and that seems to only send the info via a Push notification, it doesnt populate this section.
@Wannes De Boodt has joined the channel
According to KB article this was "expected for late 2019". Well, it is 2020 now and the article was not yet updated. Would be great to get some news regarding this. (https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TOVjSAO)
Well Apple finally communicated a date after which new and updated apps using UIWebView API’s will no longer be accepted in the AppStore. This means that companies using Web@Work (and possibly Docs@Work) will need to start planning a migration to WkWebView and Per-App VPN.
https://developer.apple.com/news/?id=12232019b
adding to this 👆 we are working on making Tunnel available for these usage exclusively to Gold licensed customers - Currently officially it’s still a “per-customer” request but soon it will certainly change
*Thread Reply:* can you be more specific? with O365, with or without sentry, just configs, etc?
Is it correct that within MI Cloud, when you make use of managed playstore apps in an AE Kiosk setup, those apps are not automatically updated if there is a new version available in the Playstore ? As long as the device is in Kiosk the app is not updated, but when released from Kiosk there is an upgrade notice for that app.
*Thread Reply:* IMHO this only applies to MobileIron Go
@Balaji Arumugam has joined the channel
What is the proper means to deploy an Exchange Config driving OAuth for the Apple Mail client in Core?
*Thread Reply:* Create an exchange config as per usual but set authentication to oAuth
*Thread Reply:* @Mark Vonk Do you know if Apple ever incorporated a means to deploy an Exchange config, but only with Mail or Calendar or Contacts enabled once it installs?
*Thread Reply:* Yes, since iOS 13.
See: https://developer.apple.com/documentation/devicemanagement/exchangeactivesync
Check the EnableContacts, etc. properties
*Thread Reply:* Nice @Mark Vonk - I had a brief recollection of this feature actually coming to life (since we had asked about it dating all the way back to iOS 9). Oh, happy day 🙂
*Thread Reply:* ==> CORE 10.6
*Thread Reply:* @NicolasR I show 10.5.1.0 GA. Is 10.6 in Beta?
*Thread Reply:* March 4th for GMRC is the target
MobileIron MTD - What does it do for iOS Mail in terms of Phish detection and action?
*Thread Reply:* Hey Eric, HNY! Hope things are well with you. Depends on a couple of factors including whether you want to take action on the device or you want MI to perform remediation. When you enable local VPN capabilities in Phishing Threats in the ZConsole, it also maps back to the Site Insight Threat Policy where you can perform either device actions or set the remediation in the MDM Action. You can remove, block, quarantine or wipe if you would like. You can also block known phishing URL's at the device level if needed. You want to take a look?
*Thread Reply:* @Paul Troisi is this with updated phishing detection with their VPN capabilities or with the content blocker integration? I haven't looked at this in 6 months or so
*Thread Reply:* Yes, with their VPN on activation, as well as using their own VPN on the device.
*Thread Reply:* @Paul Troisi - Nice! I’ll give you a shout tomorrow. If we’re able to perform comprehensive remeditation on the device (before a user has time to tap/click into a phish attempt) this could be worth its weight 🙂
*Thread Reply:* Any docs on the help site about this?
*Thread Reply:* @Kiran Patel I’m gonna hop into the ZConsole and will look. If not there, @Paul Troisi may be able to scour their help site.
Email+ for Android Enterprise - Signature! There is $Default$ - where can this be changed? Can I use other variables like $email$ or $first_name$ in the config for the signature?
*Thread Reply:* Yup you can, everything is in the documentation for the key value pair
*Thread Reply:* Well, I have looked in the Email+ documentary, but not really a lot of infos there how to configure the default signature for AE! Key value pairs are not relevant for AE! Maybe we are talking about different docs.
*Thread Reply:* Ok so I was more thinking on iOS side. So for AE you’re right, not required to add KVP, but definitely the standard variables should work as you mentioned
@Melkon Torosyan has joined the channel
Anyone using Core and Sentry on XenServer virtualization?
*Thread Reply:* Tried several times with some customers… Not a good idea 😉 And not officially supported
@Anders Hermansson has joined the channel
The Mobile@Work app was pulled from the Google Play Store today. No ETA from MI on when it will be back....
*Thread Reply:* Thank you Phil for letting us know. I was also checking this in the morning and was surprised to see this is not available.
*Thread Reply:* May MobileIron is forcing the Core-2-Cloud migration. 🙂
*Thread Reply:* I am almost sure, there was a Violation of Repetitive Content policy (Mobile@Work and MobileIron Go). We had this problem a few weeks ago with our Enterprise Apps. It was taken about 24 hours to get them back to Managed Play Store. Reason:- We maintain 3 apps for 3 different environments (test environment, integration environment, production environment). But If you publish your Enterprise apps with iframe, then you can bypass the problem, because they are permantently private marked and will only scanned for malware. Sure, that is not a solution for MobileIron, but may for somebody here.
*Thread Reply:* It is actually an issue with the Phone Call logs permission the M@W cliënt claims. It is not allowed for regular apps, but MDM clients are exempt after some kind of waiver. Apparently the app was withdrawn by Google despite the waiver. Google is already working on it to get it back.
*Thread Reply:* @Melkon Torosyan we have a much more efficient way to move customers over to cloud without requiring re-enrollment so 😉 As Mark said, it was a mistake from Google Play team and Google AE team have worked with them to restore our app. By the way we had to change the version number as per Google requirement
*Thread Reply:* Hi, this seems to be resolved at this time: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TUgVSAW 🙂.
We use AEWP devices with MI Core. We deploy an Inhouse App via Google Play to these devices. The app needs to transfer files to a backend server, which sometimes can take up to one hour. No If the screen lock comes active (set via Security Policy) the app loses the connection. Is that normal? When the screen lock kicks in, is the network connection within the work profile dead? Can I control this somehow?
*Thread Reply:* You might check wether the app is excluded from battery optimization. From android 6 ( i think ) doze mode or app standby might put apps in deepsleep if it uses too much battery power.
*Thread Reply:* https://developer.android.com/training/monitoring-device-state/doze-standby
*Thread Reply:* Thanks I will check it out. Sounds like the problem
We are using Email+ 3.X as email client for the Android Enterprise users. When we click share-point approval workflow link from the email,it opens a blank page without inline text however same link work as desired on the app-connect Email+.Anyone know how to fix this?
Has anyone had a similar issue with uploading a external trusted SSL certificate (pfx format) on Sentry: We have a valid PFX, upload within the Sentry configurations on the Admin Portal works, but uploading the same PFX file within the Sentry System Manager fails with the error (no key or no certificate found)..or something similar. We also tried different browser! Sentry 9.7.2
*Thread Reply:* Does the pkcs12 file contain full certificate chain?
*Thread Reply:* If we upload the file in the admin portal the whole chain is visible. Also if you install it on a Windows Client. Only Sentry MICS will not accept it.
*Thread Reply:* I saw similar error in the past with S/MIME certificate and key alias matching. Try to import the cert to Windows machine cert store, then export it with PK and full chain and import that file to MICS.
*Thread Reply:* Had the same. Converted the cert with openssl. Then it worked.
Isn’t this the TLS certificate on Core? This is still valid but some users receive this:
*Thread Reply:* Does the Certificate comply to the iOS13 requirements?
*Thread Reply:* Ah so you believe the server certificate which is used for TLS (same as the portal certificate) does not comply with iOS13? If I browse with Safari to Core from the device it should also not work regarding to your theory, right? (Which works without issues btw)
*Thread Reply:* No issues with the health checker
*Thread Reply:* How about it:
https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxFxCAK
*Thread Reply:* I'm reading up on Cloud R69 there is some client cleanup "Remote service TLS client AUTH certificate weak signature < SHA384 renewal" being done. Not sure if this will also happen in the upcoming Core release.
Was Android Email+ v2.x also pulled from Google Play - can‘t find em and can‘t deploy em only Version 3 is there
Does anyone know an overview when to use the profile manager of macOS server and when to use Jampf, MobileIron or something else ?
*Thread Reply:* I would not use profile manager in production - think of it as a reference implementation that is great for testing
*Thread Reply:* Me too, but is there a fact comparison to a professional MDM System ?
*Thread Reply:* Profile Manager is only for testing, as it can’t scale up for production use. Even Apple admit it.
Hi, has anyone successfully tunneled (MI Tunnel) the HCL Verse app with Android Enterprise Fully Managed with Work Profile and Android 10? The same config is working for Chrome, so it’s not the Tunnel config itself.
*Thread Reply:* Yes, both fully managed with work profile and work profile on BYOD.
@Viktor Dmitriev has joined the channel
Hi guys, I am posting this here as I know it will benefit you - When updating Mobile@Work for iOS to 12.2.0 or 12.2.1, a small percentage of devices lose their registration status in Mobile@Work - KB article: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TWIzSAO. We did not see any cases escalated thus fur to us, but from what I have read, reboots or software updates could trigger this behavior on the device side.
*Thread Reply:* Mobile@Work 12.2.2 has been released that resolves this issue.
*Thread Reply:* The update is nicely on time before the mass upgrade to iOS 13.4 starts….
does anyone know if MI Core supports iOS account selective syncing through profile such as just contacts and no mail / calendar?
*Thread Reply:* Nope, not yet supported. I just recently asked our technical presale contact in relation to 10.6 release.
*Thread Reply:* As far as I know it‘s not in 10.6
*Thread Reply:* Please raise request to MI if you want to see this implemented in the future. This is imo big oversight fro MI side as support of that feature will be perfect for Email+ users struggling with contacts sync to native contacts.
*Thread Reply:* Yeah, I was thinking that was going live in 10.6 as well
*Thread Reply:* I was thinking that that you could create your own XML and use it… like we did for a lot of Dock/Home Screen setups before it made its way into the Core UI
*Thread Reply:* Depends if you need to include Identity cert via SCEP or not.
*Thread Reply:* Anyway, this was one of the first iOS13 features supported by WS1 UEM. In my opinion easy to implement and quick win.
*Thread Reply:* Yeah / That feature could have been used SO many times for projects I was on in the past.
*Thread Reply:* It is even implemented in Intune... We have already raised this to MI, because some of our customers need this
*Thread Reply:* It was indeed set for 10.6, but fell off for some reason. The next version of Core and Cloud are supposed to have it as these are focused on iOS / macOS
*Thread Reply:* This very disappointing. Come on #mobileiron you can do better than that!
*Thread Reply:* @Mark Vonk does this mean Cloud doesn’t have it either?! Wow what a big miss. I’ll mention it on my call with them on Tuesday
*Thread Reply:* pushed this up to MI mgmt that this is critical feature request for our company. We would like to sync just contacts and drive calendar / mail to Outlook app. does anyone have advise on how to try this through a custom payload but embed the scep cert as @Ladislav Blazek alluded to?
*Thread Reply:* @Kiran Patel this could help you https://mosen.github.io/profiledocs/payloads/common/exchange.html - it is possible to associate an SCEP credential with an Exchange configuration via the PayloadCertificateUUID key. You need to extract that reference from mifs database.
*Thread Reply:* I thing the easiest way is to use Apple Configurator / Profile Manager to create Exchange profile with fake SCEP config and then replace reference to real SCEP payload.
*Thread Reply:* thank you - thats what we are trying. was trying to get the formatting of those parameters for the xml as even apple documentation has the details but not he format
*Thread Reply:* wish @John Zmyslowski and I luck 🙂
*Thread Reply:* @Kiran Patel Actually I am working on it right now as well as we have request from our customer for the same.
*Thread Reply:* lets keep each-other updated :)
*Thread Reply:* I also see a cert pw and cert payload when I export the exchange config from MI
*Thread Reply:* @Kiran Patel so far no luck. Unfortunately SCEP payload must be part of the same configuration profile as Exchange payload to be able to reference it…
*Thread Reply:* @Ladislav Blazek We are close but appear to be having a variable substition issue
*Thread Reply:* not sure what format $email$, etc needs to be in
*Thread Reply:* if i hardcode the email in the profile appears to honor it but haven't tried it with scep issuance
*Thread Reply:* with a hard coded profile I did get the oauth auth part working with contact only honored
*Thread Reply:* <?xml version=“1.0” encoding=“UTF-8"?> <!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”> <plist version=“1.0”> <dict> <key>PayloadContent</key> <array> <dict> <key>EmailAddress</key> <string>$EMAIL$</string> <key>EnableCalendars</key> <false/> <key>EnableCalendarsUserOverridable</key> <false/> <key>EnableContacts</key> <true/> <key>EnableContactsUserOverridable</key> <false/> <key>EnableMail</key> <false/> <key>EnableMailUserOverridable</key> <false/> <key>EnableNotes</key> <false/> <key>EnableNotesUserOverridable</key> <false/> <key>EnableReminders</key> <false/> <key>EnableRemindersUserOverridable</key> <false/> <key>Host</key> <string>misentry.test.local</string> <key>MailNumberOfPastDaysToSync</key> <integer>7</integer> <key>OAuth</key> <false/> <key>PayloadCertificateUUID</key> <string>65EF21E0-5F39-461E-AB63-ED00D2D4BB45</string> <key>PayloadDescription</key> <string>Configures an Exchange account</string> <key>PayloadDisplayName</key> <string>Penta Contacts Only</string> <key>PayloadIdentifier</key> <string>com.apple.eas.account.D0F55C47-4633-42F1-8651-96E05A017DA0</string> <key>PayloadType</key> <string>com.apple.eas.account</string> <key>PayloadUUID</key> <string>D0F55C47-4633-42F1-8651-96E05A017DA0</string> <key>PayloadVersion</key> <integer>1</integer> <key>PreventMove</key> <true/> <key>SMIMEEnabled</key> <false/> <key>SMIMEEncryptionEnabled</key> <false/> <key>SMIMESigningEnabled</key> <false/> <key>SSL</key> <true/> <key>UserName</key> <string>TEST\$USERID$</string> <key>disableMailRecentsSyncing</key> <true/> </dict> </array> <key>PayloadDisplayName</key> <string>Exchange Contacts Only</string> <key>PayloadIdentifier</key> <string>MBP-LB-S4U-9.FF125D06-169C-4ED7-80BC-3BC537D65084</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>2143B430-F9F1-49BA-8642-A2832A4DF3D4</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
*Thread Reply:* @Kiran Patel that worked for me for basic auth.
*Thread Reply:* $EMAIL$ and $USERID$ is correctly substituted by the real values for the user
*Thread Reply:* But PayloadCertificateUUID part don’t work as the SCEP payload is not part of this custom profile. We need something like $CERTALIAS:<scepprofile_name>$ to make this working.
*Thread Reply:* do you think the scep appsetting uuid suffice?
*Thread Reply:* @Kiran Patel as I said unfortunately no. SCEP payload must be included in the same configuration profile.
*Thread Reply:* @Ladislav Blazek the SCEP cert itself or reference to the existing scep config that's already in core? that's the part where I'm getting lost comparing the exchange config out of MI and looking at the apple documentation
*Thread Reply:* I think I follow what you're saying now... I recall when I tested android enterprise around 2.5 years ago and used it in the AE configs
*Thread Reply:* too bad we can't enbed that in the <certificate> parameter
Can anyone tell me why the automatic login is enabled when using the VM console, whats the purpose? Can this be disabled?
*Thread Reply:* Automatic login? What appliance? Typically you should perform an Enable command first to perform any configuration. Without Enable you can only view certain information.
*Thread Reply:* MobileIron Core. If I connect via VMware console it always performs an automatic login and I have no idea why and where this comes from! Connecting via SSH of course doesn’t
Curious what everyone does about setting limits on incoming maximum attachment size for Email+. Default is 10 MB unless you change the KVP. Best practice recommendations are to match Exchange, but doing so may increase the likelihood of a failed attachment delivery.
*Thread Reply:* normally we set it to match the exchange limits, to get continuous usability to desktops. With LTE and a good carrier we normally dont see failed delivery often.
Curious / Has anyone tested MI Access with MacOS recently? Does the Tunnel and password-less SSO now work properly? About a year ago (when I last tested) Tunnel wasn’t able to behave how it should have and MacOS was not supported as a result.
*Thread Reply:* Since Packet tunnel (last major update of tunnel - summer 2019), macOS tunnel is good. Chrome and other apps like teams can now be tunneled to provide password less experience. I use it daily on my work MacBook and no pain anymore.
*Thread Reply:* @NicolasR wonderful! I wanted it to work so bad when I was testing it (vs WS1 Access)
*Thread Reply:* @NicolasR can you confirm that this only works on Catalina?
*Thread Reply:* @Woody not as far as I know, our company switched to Packet tunnel even we still have Mojave devices in the field
*Thread Reply:* I was working on a PoV last week with MacOS and came across this (https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TQKLSA4)
*Thread Reply:* Oh right this is something that I forgot! This is what made me upgrade to Catalina
*Thread Reply:* Not on Mojave. I have a MBP that’s on Catalina, but it’s bound to JAMF
*Thread Reply:* As far this issue happened to me I was running Tunnel with App-Proxy, different than Packet-Tunnel. Maybe packet-gunnel doesn’t have this apple bug
*Thread Reply:* k! Let me flip it over to Packet Tunnel and see if that has any bearing on the outcome
*Thread Reply:* @NicolasR Packet Tunnel doesn’t seem to have any different result. Tunnel/VPN profile are installed, but it doesn’t connect on-demand
*Thread Reply:* @Woody with packet tunnel don’t use safari domains as it’s different. Try with match domains.
Also.... please don’t test macOS on CORE... It’s a bad idea....! Unless customer can’t be on CLOUD for whatever good reason (government/ministry,...) use Cloud!
*Thread Reply:* Our Cloud product is good for macOS management, not Core to be fair
*Thread Reply:* Unfortunately, we’re going to be w/ CORE for quite some time. Just trying to get as much ROI from the product as possible. It’d be really nice to replace JAMF w/ CORE since it’s servicing only one platform.
*Thread Reply:* We did that also with a customer here but limitations are huge: • No client auto-registration for DEP devices • Scripts need to be signed - painful • No MIP format support (only PKG which also requires signing) Product on Cloud is so much ahead... Seriously, don’t do that with CORE and work rather on CORE to CLOUD migration for iOS/Android devices, our migration product is so easy and works so well (seriously speaking, don’t see any commercial approach here... it just works!)
*Thread Reply:* I totally hear you @NicolasR / Just in a position where what we have is working and we’re focusing $$ on other areas/efforts. What we may do is try to spin-up Cloud in parallel, but for now everything needed (we’re basic, Bro) is good in Core.
Has anyone preconfigured the Microsoft Office iOS apps (new Office Hub, Word, Excel) with the username on Core 10.5.1? I’ve created a managed app config based on this MI article: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxCHCA0
Here’s my plist-file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "<http://www.apple.com/DTDs/PropertyList-1.0.dtd>">
<plist version="1.0">
<dict>
<key>IntuneMAMUPN</key>
<string>$USER_CUSTOM3$</string>
</dict>
</plist>
I’ve tried UPN ($USER_UPN$) as well.
The config is applied to my device and the apps are installed, but no luck with preconfigurations.
Any idea?
*Thread Reply:* This managed config is not meant for pre-configuration of the account. IntuneMAMUPN will just mark the corresponding corporate account as managed inside Microsoft apps to distinguish it from personal.
*Thread Reply:* Thanks. So it‘s not possible to pre-configure Office apps with MobileIron?
*Thread Reply:* It is possible to preconfigure Outlook. Then you should be able to see account as available in other Microsoft apps (as they are allowed to share OAuth token in iOS Keychain).
*Thread Reply:* I know it‘s possible that way, but that‘s not an option for the customer. Thank you
*Thread Reply:* Use MobileIron Access for Autologin ;)
*Thread Reply:* For the most seamless experience here’s what we’ve tested and are hoping to roll out soon.
1) push MI Tunnel, Microsoft Authenticator and MS Outlook to devices with iOS Managed App Config to preconfigured. Authenticator will need the vpn tunnel profile associated with it. 2) using MobileIron Access the Auth experience will be completely seamless (iOS managed app Config gets the username and home realm discover done for the O365 tenant). Outlook will flip to MS Authenticator and Ms leverages it almost as an SSO broker app. This also prevents having to attach the vpn tunnel profile to all other apps that does impact their performance a bit (even if you split tunnel) 3) once MS Authenticator has the Auth token and as a result the iOS keychain as Ladislav suggested another MS Office apps share it and no username or pw Auth will he needed. Worst case it flips to MS Authenticator which already maintains user identity even if it needs to Auth again
*Thread Reply:* but keep in mind Authenticator will hand the auth token also to other MS apps you might not want to use or cover as Managed.
Hi there, is there a way to open a webclip by default in the Chrome browser on a supervised iOS device using MI, instead of the Safari browser ?
*Thread Reply:* replace https:// with chromes:// and http:// with chrome:// 🙂
*Thread Reply:* I knew there was something like that, just as for the web@work browser.. Thanks!
Hi there again, anybody know if it is possible to place the standard Apps@Work webclip on iOS in a different folder/page thru the HomeScreen Layout configuration in MI Cloud? Standard location is the first page but I would like to place it in a folder on page 3 for instance. With webclips this is possbile by adding a webclip, and then change the location in the Homescreen layout by adding the same webclip/URL. Is there a standard URL for the Apps@Work webclip, besides the certificate that is necessary?
Help@Work setup error when I click on Validate, any ideas? Firewall?
*Thread Reply:* 10.6.0.0 - was a FW issue. Teamviewer was blocked!
Changed our Web@Work setup to use Tunnel due to the WebView depreciation by Apple - but we have some backend websites which will not work after this change, they still work with the old configuration. Sentry service is <TCP_ANY>. I am trying to figure out the reason - wrong FW rules maybe? Any ideas?
*Thread Reply:* Well done!! I may give MI a spin given this.
*Thread Reply:* I primarily deal with Zebra Android in dedicated device situations. I see that you offer LifeGuard OTA and OEMConfig for MX support.
*Thread Reply:* Can you also support direct LoB app installs (bypassing Managed Play) for AEDO deployments? And what about File Management capabilities? Can you provision files into specific directories on the devices?
*Thread Reply:* MI supports direct apk installation, but not silently unfortunately (someone correct me if I’m wrong please).
*Thread Reply:* There are no file management capabilities unfortunately (again - someone correct me if I’m wrong please), so you’ll have to do with the OEMconfig, where it’s hard to accomplish an install process with a baseline (receiving a baseline config) and different levels (could be warehouses) where other files and configs are needed. At least, I have still to figure out the great method.
*Thread Reply:* Thanks for the insights! Agreed that, while FileMgr is there in OEMConfig, it is not ideal to have all the configuration settings in a single policy like that. OEMConfig also relies on Managed Configurations which I’m fairly certain would have been affected by the Google Play server outage over the past couple of days. We can’t have that sort of issue in mission critical device deployments.
*Thread Reply:* Without file management capabilities MI would be DOA for us. We have numerous external config files that we distribute that need to be placed in specific directories on the devices.
Stay safe everyone, feel free to leverage MI to face WFH situation for free 😉
Has anyone successfully added VPP licenses for an iOS Custom App to MobileIron Core? I have ‘bought’ the VPP licenses for the available custom app but when I try to import the licenses to MI Core I seen an error N/A (AppId: [id of custom app] not found).
*Thread Reply:* it works, I have some customers using it and I helped one setting that up last week 😉
WebView deprecation and Docs@Work - with the current release there is no way to enable the new Webview and migrate to Tunnel, right?
*Thread Reply:* but deprecation postponed due to covid
*Thread Reply:* Really? Is there an official statement from Apple?
Hello Everyone Does anyone know if there is any MobileIron free training ?
*Thread Reply:* Hello! I do not believe so, but @Russell Mohr or @NicolasR may able to shed more light on the subject.
*Thread Reply:* Mobileiron university online is free for our partners and customers
*Thread Reply:* Ah yes. I was thinking @Luiz Nascimento was alluding to Instructor Led training.
*Thread Reply:* We do that locally for partners sometimes with instructor
*Thread Reply:* Got it Thanks @Woody and @NicolasR
VIP Notifications for iOS Email+ question - there is a product bulletin with the need of a new Sentry for ENS. My questions: -Is this also relevant for CNS v1 (Cloud Notification Service) -Prerequisites are that VIP notifications need to be enabled - is this real time notifications hence CNS v2? I find nothing in the Email+ guide about VIP notifications. Where do you enable VIP notifications now?
vip notifications is a userfeature in email+ app
there are only two options go for cns2 with vip or vip notifications wont work anymore
*Thread Reply:* Ok got it thanks. So CNS v1 will not be impacted by that?
*Thread Reply:* vip notifications need cnsv2 to work now. its a new requirement for vip notifications to work. if your users are not using vip notifications, you dont need to implement them the new way. cnsv1 has problems, so it is a good idea to implement v2 regardless of vip notifications: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxdxCAC
Hey Everyone. Has anyone seen an issue where certain apps are "stuck" in the state "PromptingForManagement" and the user either never receives the prompt for management or they have already selected "Update" in apps@work? (Core 10.5.1 on prem)
Having an issue with Email+ on iOS: -We use Kerberos Constrained for Exchange -We use the Core CA for issuing the certs
Native client works without issues BUT Email+ will not work - it will bring up a password prompt after the config was loaded. (Promptemailpassword is set to false) I have enabled „show configuration“ and I can see no errors. The user has been issued a cert and it is on the device, also the root cert of the Core CA is on the device. Has anyone any idea what the issue could be?
*Thread Reply:* Can you share your config? Did you added apptunnel rules on it? (You should not)
*Thread Reply:* Rookie mistake.. someone imported the wrong root cert! :facepalm::skintone_2:
*Thread Reply:* 👍 Always good to look at the config on monday morning after good rest right? 😉
Having an issue with a backend site and W@W: Opening the backend site via bookmark works without any problems. Opening the same backend site embedded as a javascript link on a intranet site will not work. Any ideas? Is javascript not supported?
*Thread Reply:* Javascript is supported but I know some specific technologies are not supported through Tunnel like Web socket
FYI, we had to bring down the KB article about the latest iOS vulnerability as per “someone’s” request... Hopefully Google cache is still there...
*Thread Reply:* MobileIron mentioned also Microsoft Outlook as an alternative - can Outlook be used with Kerberos Constrained Delegation? I don‘t see any fields in the app to put the SCEP in like with Email+ so I guess not - Update: so I found an article that Sentry is not supported so that answers my question. No KCD without Sentry. Right?
How do we enable Mobile@Work for already enrolled DEP devices? Mobile@Work was not deployed for DEP devices - we want to do this now. But on some device we receive the message „Application reset, please re-register“ - but that fails because the MDM profile is already installed. What is the normal process here?
*Thread Reply:* Ok, so just push M@W as app to install upon enrollment. It will self-register when user opens it.
Be careful by default the registration windows is 4hours but can be changes in the UI starting Core 10.5+
*Thread Reply:* So you mean it can take up to 4hours until the self-register will work?
*Thread Reply:* user has to open M@W during 4hours window
*Thread Reply:* but 4hours window can be set to higher value
*Thread Reply:* 4hours until M@W was pushed or after the DEP enrollment
*Thread Reply:* Count down starts when M@W gets installed
*Thread Reply:* Where do I find the setting to change that value?
*Thread Reply:* sorry my CORE is broken at the moment can’t check exactly where...
*Thread Reply:* Awesome - thank you. 👍👍 helped me out tremendously!
*Thread Reply:* @John Zmyslowski check this thread. @NicolasR can the 1 year extension window for Mobile@Work activation also occur for MI Cloud & MI Go App?
*Thread Reply:* also have you users tiered compliance actions and notification rules in MI Core to prompt the user to launch the app?
*Thread Reply:* great info here as always @NicolasR
*Thread Reply:* @Kiran Patel on Cloud the window is 24hours but renewed every time, so basically no limit 😉
Sanity check… I have a device that has a Core Security policy with a 90 day pass-code expiration. If I want to extend that by 45 more days, could I clone the existing policy, add 45 days (in total 135 days for expiration) and the pass-code expiration would extend on the device?
*Thread Reply:* No, setting won’t change unless doing it manually
*Thread Reply:* @NicolasR Just to clarify, updating the security policy on the device (to a value greater than 90 days) would not extend the length on the device?
*Thread Reply:* it should work, as it’s not a device local setting
*Thread Reply:* not the same as for auto-lock time
*Thread Reply:* Okay @NicolasR, I remember that. There is some difference between the MDM setting and local setting for the screen timeout values (and different between iPhone vs iPad)
Trying to avoid having someone change the lock code on a fleet of iPads in a facility unless they absolutely have to
Can someone explain to me if this is the correct option what I am looking for:
I have to enable a VPN config within Web@Work for testing the WebView deprecation only for pilot users, not for everybody. Every user is using W@W at the moment, so I have to enable the VPN config with Web@Work AND check the option „Per App VPN by Label Only“ so that only my pilot users (which have the label of the VPN config) are affected, not everybody else. Right? I don‘t want that W@W will trigger the VPN for everybody because only the pilot users have the VPN config. Is this the right way?
*Thread Reply:* Great, thank you @Almar Diehl . Wasn’t there a bug if multiple labels are used that a VPN config will remain on the device even though the label was removed? Not sure if this could cause troubles.
Is there a way to show exchange email calendar on iOS native calendar app using Email+ like the way we export contacts from email+ to native contacts?
*Thread Reply:* if you push both calendar and contacts out to native then why do you have E-mail+ at all ?
*Thread Reply:* yes, for iOS 13+ you can push a profile without Mail and force users to not be able to enable mail. So you can deploy contacts and calendar native sync and/or mails in E-mail+
*Thread Reply:* How do i configure that. Just deselect ‘Email’ from ‘Items to Synchronize’?
*Thread Reply:* should be that easy but I don’t know if your version of MobileIron supports this yet…
*Thread Reply:* As far as I remember it should be released in one of the next Core versions, but it‘s not released yet
*Thread Reply:* Since the core does not support this configuration yet,is there any other means to push this configuration to devices?
Due to the recent Apple native mail vulnerabilities,we are planning to switch all our iOS users to Email+ however when we test email+ on our test environment,we are facing issue with email notifications though real time notification is enabled. Is this a known issue?
*Thread Reply:* Is apple acknowledged this vulnerability.?? I didn't see yet on the apple site..and email+ is free ...??
*Thread Reply:* @Rajesh Kumar https://mobilxperts.slack.com/archives/C1UC210GM/p1588062200091000
*Thread Reply:* For real time notifications you need what we call CNS - Cloud notification service.
To answer @Rajesh Kumar Email+ comes with our Gold bundle which is the most common one for most of our customers
Hi all, because of the Apple native mail issues I have a customer that wants to remove the native mail app from approximately 25.000 devices but do not want to let all users delete the mailapp themselves. Therefore I am looking for a way to remove the mailapp automatically. I hoped that removing the mailapp from the homescreen, using an app restriction config, would do the trick. But although the app is being hidden, activesync in the background is still happening.
Any ideas?
*Thread Reply:* apply rules on server side to only allow specific apps or use sentry ip...if you are distributing email config, stop that (does not seem like u r). You have not provided any info on setup, so hard to say what u can and can not
*Thread Reply:* Sorry, we are distributing mail config and are using Sentry. But blocking server side or just removing the mail config will not be enough because a user might also have configured private mail accounts in the native app. So they really want to totally block or remove the native mail app.
*Thread Reply:* Maybe because mail is not the only app. Comes with Calendar, Contacts, Notes and Reminders
*Thread Reply:* Thanks for the idea Nicolas! Just added all mentioned apps to the App Restrictions. Unfortunately ActiveSync still remains active.
*Thread Reply:* If the customer admin remove the Exchange ActiveSync profile, the corporate account will disappear and it remain available only for personal accounts
*Thread Reply:* Users can not configure it back manually if the Exchange server is behind a Sentry
*Thread Reply:* On Exchange ECP, they can in addition block iPhone and iPad mail clients by leveraging Client Access Rules
*Thread Reply:* This way only other mail clients like Email+, Gmail or Outlook, when configured properly, will be able to sync thru Sentry
*Thread Reply:* Thanks Raul but as said just removing the corporate mailprofile and blocking iOS mail app is not sufficient. If the user has a private mail account configured it is still not safe. For a 100% solution the mail app has to be removed from the devices.
*Thread Reply:* You can use MTD to detect if personal email is used to compromise the device (through can’t detect personal email being detected)
*Thread Reply:* ah, if they also don’t want to allow them to use personal accounts, assuming that the device is supervised, they can leverage app restriction for mail app. (This will make it disappear)
I think it’s too strict as if they are managing supervised devices, the issue is addressed in the beta of iOS 13 so as soon as it’s out in GA, they can force the update
*Thread Reply:* if they are not using Supervised devices, then there’s nothing to do but to pull AS profile and block Exchange
https://www.mobileiron.com/en/blog/mdm-compromise-and-cerberus-malware-attack
Does anyone out there use Global Proxy with Per-App VPN? Run into an issue where the connection randomly drops, can recreate the problem in test environments. Remove the global proxy from the equation and it works seamlessly.
*Thread Reply:* Assuming its per app vpn, what is dropping the connection - Proxy, Sentry, remote server or client? Is the connection that drops idle (like a terminal) or active with data periodically flowing and does it re-establish or need manual intervention?
*Thread Reply:* You can remove the proxy from the equation and it still seems to fail. Just having a proxy.pac file specified with rules that say all traffic should go direct causes it to drop eventually. Connection has active traffic, the website in my test lab refreshes every second. Needs manual intervention, the webpage will never physically show a timeout.
As for where the connection is dropping I haven’t been able to determine that. We’ve got MI and Apple involved, was seeing if anyone out there in the broader community uses global proxy and has seen similar issues. Interesting that when I setup perapp with Workspace One and UAG it seems to handle the configuration with no issues.
I have registered a macOS device using the web-based configuration - the only thing is: Mobile@Work was not installed automatically during this enrollment process! The guide states that this process will automatically install Mobile@Work. What did I miss?
*Thread Reply:* not supported on CORE (and not planned...)
*Thread Reply:* Registering silently is not on Core
*Thread Reply:* that’s why is better to download the client, and register from there if you are registering without DEP
*Thread Reply:* for example, from https://mac.mi-labs.es
*Thread Reply:* you can upload the app to Core, and deploy it as in-house, but users will be prompted to type credentials in this case
*Thread Reply:* that’s why initiating the registration from client is better
*Thread Reply:* Ok perfect thank you 🙏
*Thread Reply:* Wait. Mobile@Work for MacOS. Did I miss something? There is an actual installable client for that platform?
*Thread Reply:* same client for Core and Cloud
*Thread Reply:* Don’t ask me why they named it Mobile@work, but this is being discussed and name will probably change this year
*Thread Reply:* Makes sense / Feature parity with WS1 in how it deploys/executes scripts
*Thread Reply:* So what would be the best approach to deploy an XML file to a certain location on the Mac? macOS Script via Mobile@Work and copy the XML file from another accessible server? I can‘t find that there is a way to deploy an XML from Core otherwise.
*Thread Reply:* If you want to execute scripts without need of M@W client on Core you can use Packages without binary. Just include in the PKG the XML file + the script required to copy it to the right location
*Thread Reply:* PKG need valid signature from dev account, that’s the only downside
*Thread Reply:* Ah gotcha thanks. And deploying apps via AppStore (pkg file) should also work, right? I have uploaded the pkg for Cisco AnyConnect as inhouse app, but it doesn’t get installed on the Mac.
*Thread Reply:* Ran into some issues with the installation of the profile on some of the macbooks. What could be the cause that the installation of the profile fails? Error message: profile installation failed! The profile with the name bla bla could not be installed due to an unexpected error - Internal error:1 - any idea what could be the cause of that?
*Thread Reply:* Ideas: -is an active iCloud account mandatory for an successful installation/enrollment? -Admin account for the profile installation or is a user account sufficient?
I can’t find a document for the compatibility of Mobile@Work for iOS - I am having an iPhone running iOS 10 where Mobile@Work seems to have a compatibility issue. While trying to download Mobile@Work from the AppStore it states that M@W is not compatible with the iOs version. Can anyone point me to a document if this is true?
*Thread Reply:* iOS AppStore should allow you to get the previous version of M@W
*Thread Reply:* iOS 10 official end of life is in June 2020
*Thread Reply:* How would I get the previous version?
*Thread Reply:* Expected automatically... but not sure, hard to test here
We are looking for a good solution with the following uses cases: -KeePass app on iOs where we can also access our keepass databases stored On-Premise -Business Card scanner where we can store the scanned information directly to the Exchange account. Since we use Email+ I doubt that this is possible. Any experiences around here?
*Thread Reply:* I don’t know if this is On-Premise but I know it can receive AppConfig https://www.keepersecurity.com/en_GB/
*Thread Reply:* and I don’t know if this can scan business cards but worth to ask 🙂 https://marketplace.mobileiron.com/listing/securecontact%20x%20business
In terms of Android Enterprise, is there a way to deploy it without "Location" being enabled? I don't show any specific config values that allow me to disable it per se.
*Thread Reply:* AFAIK there was a change with Android 10 that GPS needs to be enabled in order to successfully apply a profile like WiFi.. correct me if I am wrong. You are on Cloud or Core?
How does one bulk update iOS with mi? I click one at a time and get this window.
*Thread Reply:* Are your devices with are member of that policy supervised and are there updates available for these devices?
Is there a way to block Adobe Cloud within the Docs@Work configuration. I know Box and Dropbox can be blocked.
*Thread Reply:* why don’t you just block adding any site and map remotely the required ones?
*Thread Reply:* It's just about the trust on the devices... Sectigo (former Comodo) had some issues in the early times anno 2012, but has improved trust on devices significantly. - I am mainly waiting for a let's encrypt integration on Core/Sentrys 🙂 TLS1.3 will make life harder in many unforeseen ways (e.g. renegotiate will be dropped, something Core and Cloud work with intensively). We will get lots of more ports and certificates.... so automation will be key
*Thread Reply:* problem is that Let’s Encrypt CRL is based on OCSP and doesn’t expose any CRL distribution point thru http/https.
If you are leveraging Common Criteria mode, those certs will not work
*Thread Reply:* With Sectigo, the only thing that you have to keep in mind is to get the latest CA chain as it changed recently
@NicolasR do you know when Apple’s Shared iPad functionality is slated to arrive in Core?
Guys, I’ve made my way to make Samsung Email to work fine on Android Enterprise thru Sentry with KCD.
*Thread Reply:* Wow this sounds great - totally interested!
*Thread Reply:* I'm interested too.
*Thread Reply:* Import the app and configure it like any other AE managed config
*Thread Reply:* Thanks a lot, will test it this week
Hello all, It’s Friday and ICYMI: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000kAYNSA2 😉
MTD with MobileIron Core - Port 8883 for CPS -„..this port must be open for the service to function“ Not very much detail regarding source and destination - Core must be reachable on Port 8883 or who is the source/destination?
So Core must be reachable from internet thru port 8883
For those who need to generate a QRCode for Android Enterprise enrollment from an iOS device.... I’ve built this shortcut: https://www.icloud.com/shortcuts/c5ffbcf8bf1a4d1eb8156f74a05159b6
Feel free to reach me out of you find a bug or missing things
*Thread Reply:* @Tobias @Fabian as I’m not an expert on DT hosted platforms, let me know if I missed something or if I can improve something (for example set fixed hostnames for DT Cloud)
*Thread Reply:* At least DT cloud has its own FQDN: https://dt.mdm.telekom.net/ - And it is very likely to not be changed 😉
https://www.youtube.com/watch?v=e72MCV6BiAA
MobileIron MTD question - MTD detects if a device has an outdated OS version installed. In our case we testet it with both Android and iOS. In the zConsole both devices are flagged because of the outdated OS version - fine! Within the M@W client on Android MTD shows the outdated OS, but M@W client on iOS doesn’t even though the zConsole shows it. Why?
Also, is there no indicator on the devices in the Admin Portal device overview for devices which have an active threat - an indicator like violating an app control rule! I guess thats what the zConsole is for right?
BTW - I really like the setup of MTD! Great stuff
*Thread Reply:* Hey @Mikey2000,
I have an iPad mini 4 registered to Core 10.6, and now I see the outdated OS threat inside M@W
*Thread Reply:* My guess is that today is whn Apple has reported some CVEs that made the current iOS version officially vulnerable as this morning it wasn’t showing anything as you said
*Thread Reply:* Did you deploy an MTD local policy?
*Thread Reply:* Sure because that’s what makes the threat to appear inside M@W
*Thread Reply:* TRM policies will not be shown inside M@W, only local policy threats
*Thread Reply:* Right.. Same on my iPhone 6s - I mean the pending update Maybe I missed something in the local policy then. For Android I have no local policy but it still appears in M@W
*Thread Reply:* you have to enable the Show notification setting on each rule inside MTD LocalActions policy to show the threat inside M@W
*Thread Reply:* Great thanks.. but there is no indication for MTD threats on the device in the admin portal right?
*Thread Reply:* on portal is more for Admins, not for the user
*Thread Reply:* On MTD Console I only enable alerts to be sent to admins,
*Thread Reply:* but the notif sent to users is only triggered from local actions policy
*Thread Reply:* Yes but I mean wouldn’t it be interesting for MDM Admins to see the active threats? But I guess thats what zConsole is for..
*Thread Reply:* yeah, the threat log is only shown on MTD console.
*Thread Reply:* Even if you tie an online remediation action, this will not be very informative for the MDM admin
*Thread Reply:* it’s always better to check MTD console
*Thread Reply:* and configure alerts there to send Threat REports to admins
*Thread Reply:* that’s how I notice if there are any active threats when I’m not inside the MTD console
*Thread Reply:* Yes that sounds about right.. I will thanks 🍺
*Thread Reply:* Can you shed some light into the labels which are needed: -Label(s) for the activation configuration (needs to be applied to the devices -Labels for the compliance groups on Core ( like MTDBlock, MTDQuarantine, etc) - no need to apply these to devices because they will be used if an compliance issue triggers, right -Label for the event settings on Core - like MTD Event Detected - should this label be applied before hand or is it also used if an event is gonna be triggered
Also I guess this labels need to be know or activated in the zConsole, right? On page 21 in the guide it says that labels need to be created before setting up Core with Zimperium, which was not the case.
*Thread Reply:* Perform the integration from MTD console to Core.
Recommendation is to import the iOS and Android labels (both).
On Core, apply the activation config to the labels that you wish. It doesn’t need to be the same labels of iOS and Android.
Then create 2 local actions configs (1 for iOS and 1 for Android) and the phishing config, and apply them to the labels that you wish.
If you also need to use online remediation actions, for example for a chained remediation (I use it for outdated OS threats) then you need to create the compliance actions and so, to reference them in the TRM policy list on MTD console.
*Thread Reply:* For this last part, follow this https://help.mobileiron.com/s/article-detail-page?urlname=Mitigation-and-compliance-via-the-management-console-using-multi-tier-compliance-action-56561773
*Thread Reply:* Thanks - „Recommendation is to import the iOS and Android labels (both).“ you mean the default filter labels?
*Thread Reply:* yup. Import them to the MTD Console when you do the integration
*Thread Reply:* What did I miss if this is unavailabe? (zConsole - Policy - Threat Policy)
*Thread Reply:* You have to select the TRM policy created for each Label imported (iOS and Android)
*Thread Reply:* Ok thanks.. this is very complex 😜
*Thread Reply:* Now it all makes more sense! Thanks! Didn’t see that switch..
*Thread Reply:* You need the Platinum license to use MobileIron Tunnel. Except if you only want to use it for MobileIron productivity apps (D@W, W@W…) for iOS, then the Gold license will do. Note that MobileIron licenses are changing to “Secure UEM” and “Secure UEM Premium”.
*Thread Reply:* Thanks - we configure this VPN configuration for our third party VPN solution, so I guess the platinum feature doesn’t apply here right?
Which MDM rules do you use to detect, prevent or hinder jailbreaks of your devices early on?
*Thread Reply:* Security policy, device compromised to remediate
*Thread Reply:* Ok, but wich settings will help you to prevent jailbreaks like unc0ver ?
*Thread Reply:* For unc0ver - apple has released patched version 13.5.1.. please request user to update to this version asap.
*Thread Reply:* We have integrated JB/Root detection in both the UEM Clients, but hese will often rely on known signatures. For a better security approach I would advise to use MTD on top of UEM as this will protect also for 0-days and unknown JB like we have seen with uncover. Which was detected actually by both our Client and MTD as it had a known signature.
*Thread Reply:* I see it resolves this Custom VPN issue, but nothing else showing up https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000kACwSAM
*Thread Reply:* The documentation is available including the release notes. https://help.mobileiron.com/s/mil-productdoclistpage?Label=Core&Id=a1s3400000240gaAAA&Name=MobileIron+Core|https://help.mobileiron.com/s/mil-productdoclistpage?Label=Core&Id=a1s3400000240gaAAA&Name=MobileIron+Core
Make sure to select 10.6.0.1 at the top right corner.
*Thread Reply:* I have verified it today and the custom ssl vpn works again
*Thread Reply:* 10.6.0.1 also patches a major security issue...
*Thread Reply:* @Almar Diehl does that same issue exist in 10.4.x? Or just the 10.6 line?
*Thread Reply:* In all versions. There are upgrades / updates from 10.3 and up. But even lower versions than that have the issue, but there is no update for those.
Hi all, Please patch the CORE, SENTRY, Connectors and RDB/Monitor if you haven’t done it yet. If necessary patch first and upgrade later (as upgrades require some preparation / testing)... More details at: https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g065SAA
Just a quick question: I know there is a CLI command for Core to disable all user access but I can not remember/find what it is. Anyone?
*Thread Reply:* what’s the task you’re doing that requires that?
*Thread Reply:* I guess you mean to keep all admins out of the console, maybe to upgrade Core?
*Thread Reply:* Upgrade of HA environment. Had to be done late at night without modifying the loadbalancer. So prevent users/devices to access to secondary server while we are upgrading the primary.
*Thread Reply:* probably @Jay Robinson & @Daniel Reis are there as well
What is the normal procedure to enroll a Zebra device into MobileIron Cloud? Not like Android Android DO enrollment hence I don’t need AE for Zebras right?
*Thread Reply:* If the device is on Android 6 or 7 it should work. I’ve registered several
*Thread Reply:* Ah ok thanks.. I thought Zebras can only use StageNow
*Thread Reply:* You can actually send also SN XMLs afterwards from MI
*Thread Reply:* If there’s something you want to do that is not in the UI
*Thread Reply:* And for AE COSU enrollment in Cloud i need only the kiosk policy, right?
*Thread Reply:* Yup. Deploy apps and add those apps to the Kiosk config to see them inside
*Thread Reply:* Is there no AFW enrollment setting like in Core which I need?
*Thread Reply:* You have to ensure to apply the Eork Managed Device config that comes pre-created with the MI Cloud console
*Thread Reply:* By default COPE and DO configs are applied to all androids so change the distribution, and that’s all
*Thread Reply:* For the kiosk, create a Lockdown config of type Work Managed device and enable the kiosk there
*Thread Reply:* Do I have to turn on kiosk like on Core on the device or in the Go app?
*Thread Reply:* You can use StageNow for DO enrollment in AirWatch and SOTI, I’m not sure if that is an option for MI
*Thread Reply:* This is usually my preferred enrollment mechanism for Zebra devices since you don’t have to type anything or tap on Hello There or anything. One scan to bypass the GMS setup wizard and a second scan to connect to wifi, download an agent, install it, set it as DO, and enroll into the EMM server
*Thread Reply:* Yeah, thanks, it’s def supported on MobileIron Core and Cloud.
*Thread Reply:* @Matt Dermody FWIW I've tested AEDO with MobileIron Core from StageNow. Requires a bit of custom intent calling that took a while to figure out, but I've stuck the details here for those coming across this discussion in future! Should also work with MI Cloud https://cwsisecurity.com/resource/project-recap-enrolling-zebra-devices-to-mdm-in-android-enterprise-device-owner-aedo-mode-using-stagenow/
*Thread Reply:* Thanks for sharing @Philip Harrison (CWSI), great stuff!
*Thread Reply:* Fantastic, thanks for sharing!!
Anyone else also seeing Mobile@Work detecting iOS 14 devices ad jailbroken? Hoping MI addresses this soon so we don’t have to put beta testers into a test policy :(
*Thread Reply:* Hi @Kiran Patel this article should provide some guidance https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000g0I8SAI
How many use the MobileIron API regularly? I use it for cleanup, complex deployments and to give our users the ability to opt into and out of some configurations via a ServiceNow form.
*Thread Reply:* Unless one is supporting a large fleet of devices as used by (pharma/banking) people don't take advantage of API
*Thread Reply:* We leverage them (for there are various APIs currently around) for delivering IronWorks - a MobileIron reporting and dashboard solution - to our customers.
*Thread Reply:* Sorry for the self-promotion plug, but we gather the data daily using these APIs, so seemed relevant here.
*Thread Reply:* We manage about 13000 mobile devices. I run daily python scripts to… • Delete Retired devices from the console after 30 days. • Reset temporary configs i’ve allowed users to opt-in to • Fix odd stuff until official fixes come through (i.e. Ownership settings etc). • Supplement complex deployments (i.e. Removal of Native mail config when exchange last sync is more than 7 days)
Hello folks.. wanted to see what level of anticipation do you have for new features from Apple Which feature(s) can you not wait to get your hands on when iOS 14 or macOS Big Sur hit the markets (public releases)
*Thread Reply:* I can’t wait to see new Arm-based Mac hardware myself. 🙂
*Thread Reply:* that definitely will open the app developers to more possibilities for their apps..more wider user base. Apple seems to be going BIG for the enterprise market now
*Thread Reply:* Hmm, not convinced their enterprise approach is quite there though. It is hard to interweave a Mac laptop into a MSFT ecosystem, and Apple’s support for alternative services is woeful - DNS, web, email and similar services are no longer supported/shipped, for example.
*Thread Reply:* I’ve always felt as if there had been a clause in the MSFT loan to Apple back in the day that prevented them from competing on the enterprise desktop/server space. Apple’s approach has always been piecemeal there, even by MSFT standards.
*Thread Reply:* I think and this is just my personal opinion that Apple has struggled to get developers to enterprise for Macs..and till date the Win7 to Mac issue haunts Apple from progressing in enterprise
*Thread Reply:* There is an underlying acceptance in the air about Microsoft being THE productivity suite..that is why they showed office on new silicon
*Thread Reply:* I'm pumped about ScreenTime on tvOS. Not for enterprise so much, but for the household 🙂
I will start with my fav.. My favorite feature for iOS is going to be encrypted DNS (i changed my mind)
May be a close second is non-removable managed apps
Did any of you ever install a Sentry server on Azure? I am currently trying. Following the instructions from MobileIron I have a the server up-and-running (I can see on the console) but when I try to SSH into the server to complete the configuration I get a ‘connection refused’. If I test port 22 from the Azure portal it claims that SSH can be used from any ip.
Anyone got a solution for the connection refused?
*Thread Reply:* Did you define a password in the paramters.json ?
*Thread Reply:* Then you should be way to go as the default Security Group allows SSH over port 22, and the default password is defined in the json file before to start the procedure of creating the blob
*Thread Reply:* We found a solution, seems to be a bug in the 9.8.1 VHD. Re-installed with a 9.7.1 VHD and that works fine.
*Thread Reply:* Do you mean to use whitelist and blacklist features?
*Thread Reply:* I only allow internal traffic on AE managed Chrome
*Thread Reply:* Yes @Raul! We pretty much prefer Chrome around these parts, so wanting to deploy to iOS and lock it down similar to that of Safari
*Thread Reply:* ah, but on iOS there’s no managed config for Chrome, sorry for the confusiom
*Thread Reply:* Ah, darn! I was thinking I had come across at least a couple managed configs for Chrome on iOS in the past.
Can anyone explain uploading an in-house APK for distribution via Android Enterprise? I've uploaded to Core and have the AE box checked, but it's wanting the License (which I downloaded)... but there's a bunch of excess in that file.
*Thread Reply:* Uploading an APK directly to Core is intended only for DO mode devices and will not allow you to configure it.
What you should do, once that you have the AE bind configured to deploy AE, is:
Go to Apps catalog and do like you to import a public app. This will open iFrame.
At the left you will see a pane where you can choose between public apps, private apps or web apps.
*Thread Reply:* Choose Private app and hit the coloured + button to upload you private apk
*Thread Reply:* it will be published and later you will be able to handle it like you do for public apps.
*Thread Reply:* this method will make app available for all 3 AE deployment methods
*Thread Reply:* Righteous. Thank you so much @Raul! 👏:skintone2:
*Thread Reply:* @Raul after it goes Pending, do I need to stay on this screen?
*Thread Reply:* Disregard. Looks like it remains in that iFrame from Google even if I leave/return
Okay, apparently the app will still host/install without the license? Just tried it for giggles and it installed.
*Thread Reply:* The json file you get from Core when you upload an apk directly is intended for self hosted deployment, and requires a paid developer account, but you don’t need that to deploy regular private apps.
*Thread Reply:* Just follow the guidelines I shared on the other comment
Anyone familiar with this one? Looks like a firewall issue:
*Thread Reply:* It is likely firewall related but have seen a few times when the token is corrupted and just going through the process once more with a new token seems to work.
*Thread Reply:* I cannot find anything being blocked from the Firewall. DEP service within Core has the status success! Tried three times with a new token, same error!
*Thread Reply:* Is there a proxy with SSL offloading? This lead to a similar issue for a customer.
*Thread Reply:* Thanks for the input @Nico Hermeling - no we have no proxy. Have to find the logs on Core to get more info on this.
*Thread Reply:* maybe wrong token (DEP, Wrong account on refresh)?
*Thread Reply:* Turned out to be a browser issue! Chrome destroyed the token. No issue with on of the others and it worked!
Samsung Native Email app on Android Enterprise devices with MobileIron Core - will the native client work with MobileIron Access hence support for Modern Auth?
*Thread Reply:* This is a request for Samsung as they need to support modern auth to be configured remotely
*Thread Reply:* AFAIK they only support Basic and Kerberos
*Thread Reply:* There’s no managed config exposed to configure Oauth
*Thread Reply:* That is what i thought.. damn
*Thread Reply:* just an FYI it would seem Samsung email does support this now via Managed Config.. see attached image...
*Thread Reply:* Ok interesting.. but we use Exchange On-Premise. Do we also need Modern Auth?
*Thread Reply:* Scratch that.. Access is not relevant for Exchange On-Prem with Sentry anyway, right? As long as we do not migrate to O365 we are safe right?
*Thread Reply:* It was not available, but as @Ajay Patel mentions, it was added recently! Good find, thanks
*Thread Reply:* You can also configure Exchange On-Premise to use Modern Auth, but normally you only do it when going hybrid
*Thread Reply:* AFAIK you need at least 1 account on O365 to do so, and that’s automatically a hybrid environment
*Thread Reply:* When using Exchange + Sentry you can use KCD which is the best experience for on-premise mail
*Thread Reply:* unless you use Outlook for sure, that doesn’t support KCD
*Thread Reply:* Indeed, modern auth for on-premise Exchange only exists when your exchange is hybrid: configured to interact with Exchange Online. No need for an actual mailbox on EOL yet. https://docs.microsoft.com/en-us/office365/enterprise/hybrid-modern-auth-overview
Would could be the cause for the following issue:
We deploy Email+ for AEWP devices with MobileIron Core. We use Exchange Online. When our users change the password in the local AD it sometimes takes ages before Email+ excepts the new password, sometimes Email+ doesn’t accept the new password at all. My guess: Core still has the old password stored in the variable $password$? But the users enter the new password also in Mobile@Work. If we use AAD Connect with Password Hash (not ADFS) the sync needs to happen before Exchange Online is aware of the new password, right?
*Thread Reply:* Core does not store any password or hash of password. Authentication happens with AD
*Thread Reply:* And what is the feature „save user password“ on Core?
*Thread Reply:* Ah, yes, that feature is there.
*Thread Reply:* This is what I could find : To get the new password synced to Core, we should go to Core > Users > Resync LDAP (make sure you turn off the LDAP Discard % in the LDAP-preferences)
*Thread Reply:* This is to force a sync or you will have to wait for your sync to happen
*Thread Reply:* Ok right thanks. Since this is a manual resync this is impossible to schedule because I would never know when a user changed his password. But thanks for the hint!
*Thread Reply:* But I believe it is also possible that Azure is not aware of the new password if the AAD Sync didn’t happen
*Thread Reply:* Possible. Passthrough authentication from AzureAD solves this latency issue
*Thread Reply:* Save Password is intended to save the password typed during registration
*Thread Reply:* It’s not good as when it changes on AD, if user don’t log in to Core SS, the stored password doesn’t change
*Thread Reply:* If you have Exchange Online, I recommend you to give CBA a try
*Thread Reply:* It will not be killed by MS, and works like a charm since 2016
*Thread Reply:* If you want to force AAD to check cert CRL, and you’re not using Core as CA, you will need to expose the CRL to internet
*Thread Reply:* Great input! Thank you Raul!
*Thread Reply:* Best approach is to use Core as standalone CA or to turn it into a intermediate CA from your internal CA
*Thread Reply:* This way Core will expose the CRL for you
*Thread Reply:* Checking CRL is not mandatory anyway
*Thread Reply:* MI Access can be leveraged and will cover Exchange and also the rest of O365 apps, while CBA is only useful for Exchange Online, so keep that in mind
*Thread Reply:* @Raul do you know how to stop exchange online CRL checking? Have tried to find it, but no luck
*Thread Reply:* It depends on how you leveraged the PS1 commands
*Thread Reply:* New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation is the command I used. Which paramater will stop CRL checking?
Hello folks, does anyone know if it is possible to enable advanced options on MobileIron Go like we can do it for Mobile@Work?
*Thread Reply:* Not so far I’m aware, what are you looking for?
*Thread Reply:* @NicolasR I was looking for the Gooogle reauth feature
*Thread Reply:* Feature or issue with reauth? Assuming you are referring to Google managed play reauth?
*Thread Reply:* there was an issue on CORE where we introduced manual re-auth request for Managed Google play for troubleshooting purposes. Not sure Cloud is affected at all from this, haven’t checked
*Thread Reply:* I was looking for Google Play reauth because some user are facing issue when using user based account. Changing to device base account resolve the issue but the user have to reenroll.
*Thread Reply:* @Florent N. You should contact support for this. The re-auth that you are talking about should happen silently.
*Thread Reply:* Also, there was something that only our support team could trigger for user>device account, as we did not want this to be done for all customers. I will leave it at that.
We deploy a managed app config for iOS for an Store app. The developer submitted us the xml so we can configure the app via MobileIron Core. The managed app config gets applied on the device, but no configuration is happening within the app. I am trying to find out why. Can’t think that the developer sent me a wrong XML. Any suggestions how I can find out more about this?
*Thread Reply:* if the app is really managed and the XML gets applied, I think its an syntax problem im xml or a bug in the app
*Thread Reply:* Did you checked the setting to use a plist instead of managed config, inside iOS app properties?
*Thread Reply:* @Raul not sure if I can follow you. Within the AppCatalog when I click on edit on the app there is not really a lot to configure and also no option to use a plist instead of a managed config - this is what you mean right? Would that mean that the app doesn’t support managed app configs? Just checked the option within Cisco Jabber, I can see the option there!
Uploading the managed config, is the file extension important? Like .plist or .xml?
*Thread Reply:* @Wolfgang Bauer thanks, yes the app is managed - checked that in the appcatalog..
*Thread Reply:* I’ve found that this setting only appears when the app accepts managed config so maybe that’s a different story
Is anyone using MobileIron Cloud to deploy software to macOS? If so, hit me up. I’d love to pick your brain.
*Thread Reply:* We currently use Munki and are evaluating MobileIron’s software delivery capabilities. One thing we would like to do is package and deliver a single file but MI doesn’t appear to be able to do this. It reports that it has installed it, but the package is nowhere to be found.
*Thread Reply:* Are you doing anything like this?
*Thread Reply:* Hey @Jay Robinson curious about the use case, as delivering as multiple files will also allow more granularity
*Thread Reply:* Hi @NicolasR, I work with Jay… the specific use case that brought this on goes like this. I want to place an executable in a location on the machine, that can be activated at a later date via the scripting tool in Mobile@work. When I package the executable file and deploy via munki---no problems at all. When I deploy the same package with MI, the file does not show up. I have tried a traditional package, a package created using the MI packaging tool, and signed and unsigned versions of each. With each deployment, Mobileiron says that the “app”[package] has been installed, but the executable is not present
*Thread Reply:* Also looking for the ability cache packages like I can using the “precache” key in munki
*Thread Reply:* @Tohsheen ☝️This looks like something we can do but not sure, can you have a look?
*Thread Reply:* @Jay Robinson @CJFrickle - lets talk about this on a call. ~I will shoot you an email about this
We would like to add our On-Premise CRM tool to MobileIron Access (Access As A Service, Delegated IdP) so we can leverage SSSO and Conditional Access. We already authenticate with ADFS. Looking for the main tasks - I found documents for Cloud Services, but not how to add custom On-Premise applications. Can somebody point me in the right direction?
Basically I have to create a delegated IDP Pair for ADFS so I get the PS Script to execute on the ADFS to make Access aware. But how can I make sure that only our CRM tool is being used by Access? We have multiple On-Premise applications that use ADFS but we only want to use one of them with Access. Do we have to manually modify the claim rules on the ADFS or can the Access Admin Portal UI help here?
*Thread Reply:* You can do depending on your ADFS version
*Thread Reply:* ADFS 3 or 4--> limit the claims providers that each Relaying Party Trust can use, and allow Access only on the one you want to be sanctioned.
ADFS 4+ only --> You can apply the webtheme only to the RPT that will be sanctioned
*Thread Reply:* What would you recommend before executing the PS script on the ADFS - Snapshot, Backup or else, what is sufficient in case something went wrong.. not really to familiar with ADFS yet.
*Thread Reply:* When you talk about ADFS + Access as Del-IdP, rolling back is as easy as setting the default webtheme active again.
*Thread Reply:* so add a ps1 file with the cmdlet to set the default webtheme, and you will be fine
*Thread Reply:* You can take a snapshot, but as the code that change the traffic is contained in the custom webtheme that you are applying, rolling back is simply a powershell script
Can anyone tell me what the problem is when several iOS devices are not APNS capable and why they are nor capable? This has to do with the APNS token which seems to be missing for Mobile@Work right? How do I solve this?
We are on Core 10.7.. Devices are able to check-in. The Devices are enrolled via DEP. I believe this could have something to do with Mobile@Work after the DEP enrollment. The user only has a certain amount of time to open the app until the token is gone right?
And one stupid question: what is the downside if the devices have no APNS token? Since the check-in works, all devices can get new configurations and policies anyway, right?
*Thread Reply:* APNS capable means that they are capable to receive APNS push messages inside the M@W client (different than MDM APNS). Users that have not launched M@W once are the ones that appear under APNS capable false.
By default users have 4hours to open the client but since Core 10.5 you can change the value in the UI.
Downside: no client check-in (different from MDM check-in) and nor Jailbreak detection/MTD activation
*Thread Reply:* So for all users who have not openend M@W within the 4h, they will have to open M@W and newly register? Is that even possible if the MDM profile is already installed? Or do we have to retire the device and re-enroll?
*Thread Reply:* Just delete Mobile@Work client and re-download it to get a new “window” (with the new TTL of the nonce token)
*Thread Reply:* **the download must be done from apps@work
*Thread Reply:* Ah ok.. so need to install a new profile? Because we block manual profile installation
*Thread Reply:* Simply the application
*Thread Reply:* Neat trick for DEP (supervised) devices is to hide other apps except M@W / use homescreen layout / change wallpaper (with a message) after enrollment to force users to open the app. You can create dynamic label based on client check-in / APNs capable flag etc. to disable that dumb mode automatically after successfull client check-in.
*Thread Reply:* but that solution doesn’t really scale from customer reports: Label calculation may take up to 2/3 hours.... 😢
Anyone familiar with this error on Core? Some VPP apps will not install on the device:
*Thread Reply:* Is the app still there in store? Does the VPP Sync work on other apps?
*Thread Reply:* Yes it is Mobile@Work. VPP sync works.. Other VPP apps are getting installed!
*Thread Reply:* bought enough copies of it in ABM? do you have multipe mdms in one ABM location?
*Thread Reply:* Yes plenty 500 licenses, only 2 devices at the moment. No, only one MDM
*Thread Reply:* try to delete mobile@work in core if only two devices and readd it (maby select the correct country before search in core) and then refresh VPP token and try agian
*Thread Reply:* We have 2000 devices which are not DEP enrolled. So they already have M@W deployed via the Default iOS Label. So I can‘t delete it that easy. We are in the process of migrating devices to DEP. So the first step would be to get a rid of the iOS label. Having the iOS label (no VPP) and a new label for DEP devices (VPP enabled) on the same app - maybe that is the problem.
*Thread Reply:* ah ok, hmm then maybe only token refreh and resync
How can we find out what the reason for a sent event is? After the upgrade to Core 10.7 Core is sending out a lot of warnings to the users „configuration not compatible“.. and we don‘t know why. Checked the blocked reason within the advanced search, but the affected devices are not shown. Any ideas how to locate this?
Security Reason Code: 0x40000000 Security State: 1 Is there an explanation what this means?
UPDATE: After the Upgrade to Core 10.7 most of these devices show under configurations - System iOS Enterprise AppStore the Status Update Failed!? In the Policy Violations Event the setting „iOS Configuration not compliant“ - is this related to the failed update of the webclip maybe?
*Thread Reply:* Most of the devices are on the watchlist for these 3 system configs. I am sure this is related to the policy violations event „iOS configuration not compliant“ right? Looks like an Update issue
*Thread Reply:* Please raise support case... this kind of things can create a lot of subsequent issues
*Thread Reply:* Right I will, thanks But how can I find details in the event and what triggered the event? There is not really helpful info in the event
*Thread Reply:* The security event code is not publicly communication for security reasons
*Thread Reply:* You can have the detail in plain text I think
*Thread Reply:* Somewhere in the device details but I don’t expect this to be related
*Thread Reply:* Ok thanks. It would be great if you could create a event template with more details. But not really a lot of variables which can print out more info.
Has someone deployed docusign(On Premise) digital signature solution via Mobileiron?
Are there plans to support watchOS with Core or Cloud? How are you guys handling the Apple Watch within the company?
*Thread Reply:* There are no MDM payloads for watchOS, except for some iOS restrictions that you set for iPhones. As long as there is no MDM endpoint, there is not much any vendor can do to support it.
*Thread Reply:* Yes, what @Mark Vonk said. Some of the policies for phone trickle-down to Watch. So at least we have that going 🙂
Does anyone recall if there is a setting in GSuite to only allow Google Sync (ActiveSync) connections from trusted source networks? So if I wanted to front-end any EAS traffic with a Sentry (short term plan until we go Google Account when it’s fixed in Core), could I lock access down?
I know we did this many moons ago when MI and Sentry were fresh on the scene. I just can’t remember if that’s still an option inside the GSuite admin area.
Interesting question - is anyone using Microsoft Teams with MobileIron Access? We are planing to roll this out - should I expect any problems?
*Thread Reply:* @Mikey2000 Do you have other O365 products in use with Access? Can't say I've yet seen a cookbook specific to Teams.
*Thread Reply:* Yes, iOS and Android Enterprise
*Thread Reply:* Android Enterprise works strait out of the box, some quirks with split tunneling on iOS.
*Thread Reply:* There is no cookbook for Teams specifically. Use the cookbook for ADFS and Office365 instead. Assuming you have ADFS of course. There are no cookbooks on individual Office365 apps, just Office365 in general, which includes Teams, but all other Office365 apps too. So others like EOL, Sharepoint, etc will be dealt by Access too.
We had an issue before with Teams not working combined with Access. To fix that we had to enable forms based authentication for Teams.
Has anyone seen this - can‘t see any new updates on Sentry 9.8.1 and if I click check updates I receive this errors:
*Thread Reply:* To which version are you expecting to upgrade? Since you are on 9.8.1 there are no upgrades. There is a 9.8.5 but that is not a version you can upgrade to, only fresh install.
*Thread Reply:* Ahhh ok! That explains it! 🤣 thanks
@Mikey2000 happen to have a visual on the CLI when it fails?
Or if you invoke a softwareupdate on the CLI what does it return?
I can’t delete apps on DEP enrolled devices even though I have no restrictions in place (MobileIron Core) - where does this setting come from? It is not normal behavior right?
*Thread Reply:* Do you have an Homescreen layout setting?
*Thread Reply:* Ah yes I have.. Is that gonna bite me in the a$$?
*Thread Reply:* If users install private apps they should be able to delete them
*Thread Reply:* yes thats your problem, i think
*Thread Reply:* They can do from Device Settings / IPhone or iPad Storage but I agree on this is not good experience
*Thread Reply:* Good point, I didn’t know that - thanks 🙏
Android Enterprise connection from core doesn't work over outbound http proxy right?
How do I have to use the Beta deployment option on labels with Core? I only see production in the dropdown menu when I try to attach the label to an app, no BETA. What am I missing here?
@Mikey2000 You need inform your MI account manager to whitelist your Organization ID.Once they have done that,you will see Alpha channel option under the dropdown while you assign the app(If Beta version is available) to a label.Docs@work 2.11 beta testing is going on.So you can inform MI team to include your organization ID as well.
*Thread Reply:* So the Beta option in the label is only visible when a developer adds our organizations ID within a Beta channel on GooglePlay?
*Thread Reply:* Yes indeed, the devs adds your orgID. Then, after some time (could take some hours, up to a day), the alpha and beta channels show up.
Anyone know if Core supports SPLUNK Cloud? I see mentions of Enterprise, but was curious if I could plug in a Cloud indexer and achieve success?
Mobile@Work has a button for enrollment via QR code. Is this related to Zero Sign-On or how can I leverage that?
*Thread Reply:* You need to create a QR code for every single device registration and make it available to the end user. A collegue has created code that can be added to the enrollment template to automatically add a QR code to the registration mail and on screen info.
*Thread Reply:* This sounds very interesting. So basically all the relevant info for enrollment needs to be in the QR code like userid or email, PIN or password.. Is your colleague using Web API call for this? This sounds great.
*Thread Reply:* Yes, I Will post the code later on.
*Thread Reply:* Thank you - you’re the best! 👍
*Thread Reply:* Ah, even better, MobileIron added the solution my colleague came up with to this Knowledge item.
https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TSDVSA4
Extract:
Implementing infrastructure for QR code with device PIN The below procedure works for iOS devices and utilizes the PIN code as part of the registration. 1. Enable the PIN code registration
*Thread Reply:* 2020 is getting better every day 😜👏👏👍👍
*Thread Reply:* The part with mirp://.. confuses me.. we still need a webpage?
*Thread Reply:* No, mirp is the schema used by the Mobile@Work cliënt. So the URL opens the M@W cliënt and adds the data supplied in the URL to the registration fields.
*Thread Reply:* Gotcha... have to try this tomorrow! Thanks!
*Thread Reply:* Works like a charm. Is this also included in the M@W for Android?
*Thread Reply:* Got it, is also in M@W for Android and works fine!
Just a quick question: we are using certificate pinning in the MobileIron Tunnel app. I guess that when we renew the SLL certificates of our Sentry servers (which will need to be done more often thanks to Apple) we also need to apply the new certificate to the Tunnel app? Since we got over 30.000 devices we will see some errors during the process (every device needs to apply the new Tunnel config). Or should we temporarily disable certificate pinning?
*Thread Reply:* Yes. You will need to “view” the Sentry certificate from Core as it makes Core aware of the new cert. copy/paste the cert in the tunnel config and save to get a repush. Until the device gets the new tunnel config, it will fail to connect due to the mismatched certs. You could indeed disable pinning. But if the goal is to have certificate pinning enabled, I would not bother as it means you will have to repush the config multiple times.
*Thread Reply:* Yes had already the pleasure of troubleshooting this!
If I change the in-app registration to PIN but the DEP profile uses Password, will this be a conflict or can we still use password for DEP enrollment?
Is anyone using KCD with Web@Work and Docs@Work and has already switched to the new WebView? My SSO Configuration is somehow not correct because it is not working. Can someone share me screenshots of a working configuration? Specially the VPN, the SSO and the SCEP for renewal and the Label attachment.
*Thread Reply:* We have KCD working in W@W and D@W with WkWebView. However, without the SCEP renewal (so users have to enter their password once a day).
Hard to supply screenshot due to the nature of the company, so if you can supply your screenshots I can compare them.
*Thread Reply:* Ok that would be fine. If you find some time could you share your configs? It is not working at all for us and I compared the configs with MobileIron Docs but was not able to find the error.
*Thread Reply:* I edited my reply (hit the enter button to soon). Hard to supply screenshots.
*Thread Reply:* Everything is attached to the same label
*Thread Reply:* I think your SSO config is wrong. In the username field you have $USERID$, this should the kerberos principal name.
*Thread Reply:* You mean NT principal instead of the userid?
*Thread Reply:* No, I mean the actual name of the account that has been created that has the right to fetch the kerberos ticket on behalf of the user.
*Thread Reply:* Sorry, I was looking at a wrong, not working, configuration in the test-environment. $USERID$ is correct. But in your SCEP configuration I see that you use $USER_UPN$ for the Subject Alternative Names. According to the documentation this should be $EMAIL$.
*Thread Reply:* B.t.w. since you are using a local CA, is this CA ‘known’ by your AD servers?
If Local CA: • Requires trust between MI local CA and KDC • Follow directions in below KB entitled How to force KDC to trust local CA: • https://help.mobileiron.com/s/article-detail-page?Id=kA12T000000TUMpSAO
*Thread Reply:* Core was integrated as a SubCA within our Microsoft PKI
*Thread Reply:* In your SSO config, set the Identity Certificate to None for testing purposes. You should then just be prompted for your password. And otherwise, enable level 3 or 4 logging on the Sentry server and see if there are any errors there.
*Thread Reply:* Good point, thanks! I will give it a try and keep you posted.
Bloomberg reporting that MobileIron possibly going up for sale: https://www.bloomberg.com/news/articles/2020-08-20/software-company-mobileiron-is-said-to-explore-potential-sale
*Thread Reply:* This is interesting... or frightening.. not sure yet!
@Suresh Gopi Kolluri has joined the channel
Third party MDMs can soon be used with Intune and Conditional Access - currently only WS1 in the list. Can anyone tell me when this is coming for MobileIron Core?
*Thread Reply:* It’s unfortunate that MS essentially paywalled the old API - in any case, Core is expected to have this very very soon. Chat to your account rep if you want to enquire about the beta
*Thread Reply:* Core 10.8 should be released in the second week of September. Not sure if this feature was implemented though
We started a while back before iFrame was available in Core to deploy inhouse apps for Android Enterprise devices via Google Console. Now that the iFrame integration on Core is pretty cool, is there a way to bring the existing inhouse app into the iFrame view on Core so we could do the update management from there? Currently we don‘t see the app there.
*Thread Reply:* You have to share the apps uploaded to dev account with iFrame account Google Enterprise ID.
*Thread Reply:* You mean upload the APK again? But the package name will exist within Google Play already
*Thread Reply:* No you’ll have to assign it from one to the other via the Org ID
*Thread Reply:* it will still be primarily housed in the original location but you will be able to have visibility to it through the iFrame once it is shared with the org ID associated with that iFrame
*Thread Reply:* https://arsenb.wordpress.com/2020/07/01/how-to-publish-an-app-to-customers-managed-play-store-with-android-enterprise/
*Thread Reply:* arsen covers this process fairly well
*Thread Reply:* Ah wow thanks I will look into that
Is it normal behaviour that when we send out a large number of push notifications (to iOS devices, e. G. that an update to iOS is available), a lot of devices will never get that Notification? Is it a problem on the Core side or more on the device side?
*Thread Reply:* this is a known issue at Core. make little groups or use mail notification instead.
*Thread Reply:* Ok, thank you, we will split the messages into smaller groups, then....
*Thread Reply:* @Wolfgang Bauer is there a Issue number or something we can refer to to get this issue fixed? Or just something learned from experience 😉
*Thread Reply:* its an known issue by asking MI. I dont have an Issue ID and dont know an KB article. Open an Ticket 😉
*Thread Reply:* Will do that, that´s why I asked...:-)
Anyone seen the new Gartner Magic Quadrant? MI dropped out of the leaders! Thoughts?
*Thread Reply:* Ok I’ll start.. Sure this might be related mostly because of Windows 10, which is not huge with MobileIron. But this will make it hard or even impossible to make the argument that MobileIron is way more superior than Intune, which I still believe is the case in so many ways! You may think what you want about Gartner, but I believe this is pretty much the first nail in the coffin for every admin who is fighting the war on the field day by day preventing migrations from MobileIron to Intune.
*Thread Reply:* Its the magic quadrant of windows management. They reframed the criteria (towards windows management). So there are only a few vendors in the race. the only way to keep the quadrant was to shift positions, which was done bad I think..
*Thread Reply:* Hi, Gartner have added a lot of weight to VDI scenarios where Microsoft and VMware are strong and where Mobileiron have nothing at the moment. This is one of the biggest reason why we are here.
*Thread Reply:* Also this year due to COVID-19 Gartner didn’t took feedback from customers like other times, which was a big miss in our case as our customers are our best asset 😍 (proof point is Gartner peer insight)
*Thread Reply:* This quadrant is weighted very heavily on VDI and Windows 10. It doesn’t reference Intune specifically, rather MEM and the data should be taken as such. I see a lot of spruikers on LinkedIn talking about their amazing foresight, when they’re basically asleep at the wheel and can be replaced by any other mindless MSP that recommends MS without taking into consideration business requirements, as demonstrated by their lack of understanding (or wilful misrepresentation) of this data. Neither product is better or worse than it was prior to the quadrant announcement and as usual, make a business case and measure requirements before making a decision.
Can I change an existing LDAP configuration on Core from LDAP(389) to LDAPS(636) without impact or should I create a new configuration for LDAPS?
*Thread Reply:* Yes you can, no problem.
I need to create a report from Core how many devices have no passcode - for iOS there is the property„passcode present“.. what about Android devices? Can’t find anything useful!
*Thread Reply:* If you require your users to change the passcode every x days you can use the following filter:
"common.platform" = "Android" AND "android.prvpasswordexpiration_timeout" = null
*Thread Reply:* The problem is we had an issue with a label so a lot of devices didn’t receive the security policy where a passcode was enforced. They received the default security policy with optional passcode. So we just want to know how many devices have no passcode set!
*Thread Reply:* When there’s no passcode, encryption is disabled
*Thread Reply:* so you can use that attribute on filter
*Thread Reply:* This is also the case for Android device admin and Android Enterprise?
*Thread Reply:* Most modern Android devices have encryption enabled out of the box.
Anyone using a Managed App Config (plist) that installs a SCEP certificate for the app? Certificate will be used for certificate based authentication to a backend server Just wondering how to setup the SCEP certificate in the plist file. Should the following work?
<key>usercertificate</key> <string>$CERT_ALIAS:[SCEP CERT NAME]$</string>
Hello, will Web@Work be available for AE ?
*Thread Reply:* W@W is not available for AE, MI decided to use chrome instead as essentially almost everything that you could do with W@W can be achieved with Chrome and AppConfig.
*Thread Reply:* Hello Mathieu, I was just wondering if it was newly added to AE because the screenshot said that it is available on the Google Play
WKWebview deprecation - why do we have to choose no identity certificate in the W@W config when using Tunnel and the new WKWebview? (MI Core 10.7.0.0)
*Thread Reply:* If you just need to replace AppTunnel to Tunnel to Connect, then you don’t need to add a cert to authenticate to Sentry.
*Thread Reply:* So just apply per-app VPN, add the KVP and apply iOS SSO
*Thread Reply:* Then you will have the same passwordless experience and connectivity
*Thread Reply:* For the connectivity, Tunnel will present its own cert in order to connect to Sentry
*Thread Reply:* Thanks Raul! Yes that is exactly how my configuration looks, but I Still have some difficulties with this - SSO won’t work.
*Thread Reply:* Will have to look deeper into this
*Thread Reply:* No rules within the W@W config would tunnel everything thru sentry right?
*Thread Reply:* I have enabled the VPN within the W@W app to trigger, but I don‘t see the VPN sign like I do with safari
*Thread Reply:* ah, because you have to send a command to reinstall the app on all devices so the Per-App VPN flag is applied. It’s only added during app installation.
Hey does that get triggered for users on MobileIron Core?
*Thread Reply:* better use Device based VPP
*Thread Reply:* Oh really.. someone must have chosen this wrong. Any chance I can find out quickly which app was chosen for user based VPP without going through every app?
*Thread Reply:* apart from browsing the database I don’t think
*Thread Reply:* Yeah, I don’t know if it will prompt you to accept it for each app that is set as User Based
*Thread Reply:* We are still receiving prompts on a lot of devices even though we found the app that caused it and changed it to device-based license. Any caches we need to clean?
*Thread Reply:* probably that you have another app in that config
*Thread Reply:* We went through every app, everything device-based. But we have a couple of apps in different device spaces - maybe there is a mismatch
Anyone using HCL Sametime (formerly IBM Chat) in combination with Per-App VPN? For some reason VPN is not automatically starting when the app is launched. When manually starting VPN the app works OK.
*Thread Reply:* I think iOS 14 has some enhancements to triggering per-app VPN; would you happen to have tested in 14?
Are there plans to support .pkpass extension (Apple Wallet) for Email+?
*Thread Reply:* A feature request is opened but no real progress for now, don’t expect 2020: PREQS-452
*Thread Reply:* feel free to reach PMs about that 🙂
If this is enabled a user cannot add and remove accounts - for Work Profile that means that a user cannot add accounts within the work profile, right? Within the private profile he still can, right? (MobileIron Core)
Are there any videos of MobileIron MTD of like phishing protection and how it looks like in action? Could not find a lot on the knowledge base. Thanks!
*Thread Reply:* Otherwise more official videos are here
https://www.youtube.com/c/mobileiron
*Thread Reply:* Thanks, great videos! Can MTD als help with use case that a virus scanner would do, like if a user opens an attachment on the device which contains a threat or if the user wants to store that attachment on the device?
*Thread Reply:* i would say, yes. I am not a MTD expert
*Thread Reply:* VIrus scanners are comparing files based on their hashes. Having a malicious app or a doc containing weird code does not pose a risk per se. Based on the fact that depending on the platform filesystem based scans can not be performed due to lack of permissions and/or sandboxing concepts, such scans simply can not happen because of this limitation. MTD uses AI trained engines to detect anormal behavior on the device compared against expected normal behavior.
*Thread Reply:* Yes, that makes sense. I think i assumed someone was executing malware sourced from a file
The new versions of W@W and D@W for WKwebview only are scheduled for release today - not there yet - any idea when this will happen?
*Thread Reply:* They were pushed to 9/21 as far as I remember
*Thread Reply:* So not today? On september 21?
*Thread Reply:* confirmed that this is the current plan
*Thread Reply:* by the way the beta is out
*Thread Reply:* <minor rant> I wish people would use dd/mm by default, or failing that, the ISO standard of yyyy/mm/dd … </minor rant> 🙂
*Thread Reply:* Still no new version. What’s going on?
It will be very soon but remember that Apple is not a fast releasing company
Just had another admin Send an install request to ALL. how do I stop it!
*Thread Reply:* hope it was not TikTok app 😛
Can anyone tell me how the XML file should look like with a Managed App Config for iOS? (MI Core)
*Thread Reply:* Something like:
<managedAppConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <version>1</version> <bundleId>com.adobe.Adobe-Reader</bundleId>
*Thread Reply:* Thanks.. I used a key tag for this..
*Thread Reply:* Thanks, worked like a charm thanks to your hint
Real Time Push Notifications with Exchange Online - will this work, or the better question: is this supported?
*Thread Reply:* Yes, you can do RTN for Office 365
*Thread Reply:* Of course with Sentry, right? Is there a documentation for this?
*Thread Reply:* Because ENS states O365 is not supported
@Stefan Feicke has joined the channel
Has anyone upgraded Core to 10.8? Any issues to report? Need to get it into PROD to support the new Google Account on iOS.. but typically wait until there is a .1 update to resolve any issues.
*Thread Reply:* In test (4 Cores in total) it is working fine. No production upgrades yet though.
*Thread Reply:* Some hundred Cores upgraded to 10.8 - No issues yet
Microsoft Tunnel? Wow, very intuitive name! Sounds like copyright infringement to me 🤣
*Thread Reply:* https://www.vmware.com/products/workspace-one/access.html
*Thread Reply:* Since we need a Linux server to run MS Tunnel, could we install MS Tunnel on a MI Sentry server 😂
*Thread Reply:* How much longer before MobileIron takes them to court for copyright infringement, anti-competitive practices and patent infringements?
*Thread Reply:* They also copied MobileIron Rooms! https://techcommunity.microsoft.com/t5/exchange-team-blog/book-a-workspace-in-outlook/ba-p/1524560 #onlyDinausorsKnow 😎
*Thread Reply:* MI Rooms is still available?
*Thread Reply:* HOPEFULLY NO 😂
*Thread Reply:* WS1 Tunnel, MI Tunnel, MS Tunnel. Its a synonym for VPN these days
*Thread Reply:* As long as they don’t call it Microsoft MobileIron Tunnel..
*Thread Reply:* WS1 changed the product name to Tunnel long time after MI released the product.
We need to renew our external certificate for Core and Sentry. The new shorter certificate lifetime requirement for iOS 14, is this also required here?
*Thread Reply:* Well this just sucks.. thanks!
*Thread Reply:* It sure does suck. And it can get worse because there are ideas of lowering the lifetime to 98 days.
*Thread Reply:* But this does not affect user certificate that we use for KCD right?
*Thread Reply:* No, those are save 🙂
*Thread Reply:* But then again, those would be the ones that are easy to (automatically) renew.
So, MobileIron was bought by Ivanti. Not sure what to think of this! 🤔
https://www.mobileiron.com/en/company/press-room/press-releases/mobileiron-to-be-acquired-by-ivanti
*Thread Reply:* Interesting that PulseSecure was also picked up. Ivanti looking to build a suite of endpoint management, security, and connectivity. Makes sense as thats where WS1, Symantec, Microsoft etc are all going
*Thread Reply:* Initial thoughts: I like the Pulse Secure co-acquisition, there’s a lot of strength in that approach, which could lead to a great combination in many customer deployments.
*Thread Reply:* My most immediate questions would be around Ivanti’s previous track record in their earlier acquisitions, their go-to-market model, and their planned execution of their vision.
*Thread Reply:* Time will tell…
*Thread Reply:* Agreed, Ivanti is definitely trying to build up a strong offering, but will need a strong execution.
*Thread Reply:* I think MobileIron's suite of offerings will make a nice pairing with what Ivanti is bringing to the table. As much as I hate to say it, I've felt that things plateaued after the release of Access. Here's hoping the relationship jives and takes things to the next level for everyone involved!
*Thread Reply:* The interesting part is how and if this will affect current MobileIron licenses in terms of features - and vice versa. And it also might be the case that the brand name „MobileIron“ will disappear - would do you think?
*Thread Reply:* @Mikey2000 My guess that they just absorb everything and leave it as-is (perhaps for 1-2 years). Then start to rebrand/re-align/etc
*Thread Reply:* Lets make some bets! 😜
Are there any mobileiron documents available on how to enable KCD for docs@work?
*Thread Reply:* forget about KCD, iOS doesn’t support UIWebView anymore which allowed us to do KCD. Use iOS SSO payload with Kerberos
*Thread Reply:* For CIFS and for SharePoint when FBA and webview is disabled, KCD still works
Hello, is it possible to use PIN registration with KME on Cloud ? It keeps asking for password and failed to register.
*Thread Reply:* this way you will ensure that Go only prompts for username, and then redirection happens
*Thread Reply:* Thank you, good to know
*Thread Reply:* It’s the same as when using an IdP to login to MI Cloud
I want to create a label for Exchange users which have already been migrated to Exchange Online. I know there is an Active Directory property that shows if the mailbox is hosted Online or On-Prem. I forgot it, does anyone know this? Is it msExchRemoteRecipientType = 4
https://oddytee.wordpress.com/2018/06/11/attributes-change-for-an-ad-user-a-mailbox-is-moved-to-exo/
I use these values for Exchange Online: (&(objectCategory=person)(|(msExchRecipientTypeDetails=2147483648)(msExchRecipientTypeDetails=8589934592)(msExchRecipientTypeDetails=17179869184)(msExchRecipientTypeDetails=34359738368)))
And these for on-prem: (&(objectCategory=person)(|(msExchRecipientTypeDetails=1)(msExchRecipientTypeDetails=2)(msExchRecipientTypeDetails=4)(msExchRecipientTypeDetails=16)(msExchRecipientTypeDetails=32)(msExchRecipientTypeDetails=128)))
*Thread Reply:* @Peter Mohr Using a MI Core that has users on multiple M365 tenants, I'm working on a similar label to selectively apply a mail config to users whose mailboxes have migrated. I see that the values you listed are in this article: https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin-mso_exchon-mso_o365b/recipient-type-values/7c2620e5-9870-48ba-b5c2-7772c739c651 My concern is that I would need the MI label to ascertain both that the user's mailbox has migrated, and to which tenant. So rhetorically, I'm wondering if I need to combine msExchRecipientTypeDetails and targetAddress.
*Thread Reply:* Why do you care about tenants? For mail and app configure it’s all the same for all tenants
*Thread Reply:* Agreed that in most cases, it would be. But I'm afraid that in this case, the M365 tenant destinations are not the same.
*Thread Reply:* But I guess that gets too complicated. Simpler question: Do you mean that you used msExchRecipientTypeDetails in your MI labels?
FYI // This is being addressed in Core HotFix 10.8.0.0a
Excuse me, but am I the only one? I don’t get it! Is that supposed to be funny or rather serious?
My guess is they're showing how Avanti took the fast track into the magic quadrant?
*Thread Reply:* Yes that would be my guess too! And I like your word association - Avanti! 🤣
*Thread Reply:* Gartner gave a lot of importance to areas like old client management and VDI this year
*Thread Reply:* MI don’t provide those features, hence the movement
*Thread Reply:* Check Forrester Wave Quadrant to find what I mean
MobileIron Core - Provisioning Port 8080 - this is default, right? Where can this be changed to 443? Any device impact after changing it to 443?
*Thread Reply:* if you see 8080 this means this Core was built a long time ago
*Thread Reply:* You can change that port from MICS portal / Settings / Port Settings
*Thread Reply:* Right, I see the same option like you posted. Core was built a long time ago. How can I verify if we still use 8080 or 443? I see 8080 only with the CRL
*Thread Reply:* And changing the CRL from 8080 to 443, any impact for devices. I guess local CAs will renew certificates?
*Thread Reply:* a CRL on HTTPS doesn’t really makes sense because you need to check another CRL to verify your CRL...
*Thread Reply:* Right.. but to use 8080 was flagged as a security risk by an audit company.
I am looking for useful Powershell scripts which leverage RestAPI for MobileIron Core. Does anyone want to share useful scipts - could be a helpful thread to push MobileIron Core
*Thread Reply:* Found that: http://rikka.se/?q=node/12
We have on prem MI servers with a BYOD infrastructure with a mix of android and iOS devices.We use in app registration using mobile@work client.A security audit recommenced us to have MFA while user register a device using mobile@work. Is there a solution as such to meet our requirement?
*Thread Reply:* At the moment you can leverage PIN + Password, which is MFA.
*Thread Reply:* If you want to use your IdP and leverage its own MFA, that’s what will eventually be available
*Thread Reply:* @mahiroux We front-end our Core with BYODPortal, which is tied to our Okta (which employs MFA). We enforce PIN at the Core, so no one circumvents the BYODPortal enrollment workflow.
*Thread Reply:* you can also federate the CORE user portal with an IDP, no more need to have BYODPortal (which hopefully will be soon EOL...)
We have Standalone Sentry talking to two exchange 2016 servers on round robin.Users are complaining about email sync issues.Sentry SMC shows so any HTTP 503 errors and ' servers marked dead' errors.I had multiple support calls but the issue still exist.Can anyone please give some insights on how to fix this issue.
*Thread Reply:* I had a couple of similar issues and it was often due to Firewall timeouts
Important thing to understand is that the Session TCP keepalive timeout must increase or be equal from Exchange CAS server to the device
i.e: Exchange CAS: 15Minutes CAS Load balancer: 30minutes Sentry: (not configurable) 60minutes Sentry LB: 60minutes Edge Firewall: 60minutes
THIS IS SUPER IMPORTANT!! It can lead to Mailbox re-sync and very akward issues 😉 Everything is explained in the MobileIron & Microsoft KBs
*Thread Reply:* Well explained here: http://ilantz.com/2013/01/14/tcpip-keepalive-session-timeout-rpc-timeout-exchange-outlook-and-you/ And here: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxzMCAS
Anyone know if the Cloud Connector can run VMWare Tools?
The team asked. I'm 99.9% sure if it isn't included as part of the ISO there's no way to bolt-it-on after the fact. Right?
*Thread Reply:* Whoops wrong product :) deleted my message
*Thread Reply:* I do not think so. You can try though, with the same commands as for the Core and Sentry. In VMware on the connector click Install VMTools. Go to the CLI and perform a “install rpm cdrom”
*Thread Reply:* @Mark Vonk yeah, unfortunately I don't see the ability to invoke the install rpm command. Can't say I didn't explore all the options 🙂
*Thread Reply:* Just checked it: you need to register a support case to get a devshell password. See: https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxoFCAS
As there is no service support (one time password for misupport)
After you get that you can install the VMware tools using regular Linux commands
*Thread Reply:* @Mark Vonk yeah, I was looking for the service support option. Use that all the time on the Cores
This appears to be tied to the AE profile. "ERRORADDACCOUNTAUTHENTICATOREXCEPTION"
Purely related to the add of the Google Account. Play Store/etc installs apps and whatnot. Odd part is that I do not see a newly added device listing under said user's account, being blocked, etc
Weirder part is that it is working on my Samsung S10 on Verizon... and erroring-out on the same devices on AT&T
Compare patch level on both. It’s usually the reason why you only see mayhem on one of them
@Raul Would that prevent the Google Account from authenticating/adding? Even if I don't have any filter set on Core for patch level/etc?
Well, for the big amount of issues that I’ve seen in the past, and as the same config seems to be working on other device of the same model and different carrier, I’d say that the issue seems to be on device firmware, that is not working fine with this patches.
As it’s not general, you should check with OEM, and then with carrier affected
There’s most likely nothing on Core that can be making the issue
Do you register each device to 1 user only, right?.
So I just tried said user's account on my Verizon device. Same result
Do you have an account named "Android for Work" on the device?
@Matthijs Schut has joined the channel
@Vlastimil Turzík has joined the channel
We use MobileIron Access with an app on iOS. Now we want to use Cisco AnyConnect with that same app - since we already have one Tunnel config for MobileIron Access, how can we use another Tunnel configuration for Cisco VPN? Do we need to use one configuration for Access and Cisco VPN, if that is possible?! Two Tunnel configs will not work to trigger the same app, right?
You can only have 1 per app VPN applied to an app on a device. You can have a per app VPN and a device wide vpn but the per app vpn will take priority on a device.
*Thread Reply:* But I can combine MobileIron Access and Cisco VPN in one Tunnel config?
*Thread Reply:* Not possible afaik. Using Access requires Tunnel. You should really look into why you need another VPN, because Tunnel already offers you VPN capabilities
*Thread Reply:* Mostly it is because we don’t have the platinum license to use Tunnel 😜
Meant to share that I received closure on this one. When the changes were made at the top level of the GSuite tenant to no longer require the Google Device Policy app.. it relaxed on all OUs.. except ones that had been customized. Said user was in an OU that still required the Google Device Policy app, hence why it wasn't allowing things to move forward. The second we corrected the setting on the OU, the Google Account added and we were back in business.
Anyone familiar with CheckMK monitoring? Can this be used with MobileIron?
*Thread Reply:* If there is no plugin yet, maybe you can try to modify my plugin for Centreon https://github.com/nosari20/centreon-mobileiron-plugin
on Core.
*Thread Reply:* You can add a WebApp in the Google Play iFrame.
*Thread Reply:* and works on All AE modes, not only on DO mode
*Thread Reply:* Thank you @Raul and @Almar Diehl!
*Thread Reply:* So will the shortcut call and open the URL in Chrome directly or do a browser window (like a full screen web app)?
*Thread Reply:* you can choose the behaviour, but chrome have to be installed
*Thread Reply:* That’s fine @Raul. I’ve already got Chrome installed/allowed (using managed config with homepage and bookmark entries)
Is mobileiron supported on Amazon fire 8 plus(10 Gen) ?
Is there an installation guide for MobileIron Connector for LDAP connection with MobileIron Cloud using Hyper-V?
*Thread Reply:* ??.
It’s just a matter of creating the VM and attaching the ISO, like on ESX
Is the client traffic between MobileIron Core and Device (Mobile@Work) encrypted by default or is there an option to enable this? Background to this question - security wants to know how the current communication is secured between Core and Device.
*Thread Reply:* Yes, you can also setup which protocol and cipher suites are used. By default the device authenticate to Core with token but you can enable mutual auth
*Thread Reply:* Mutual auth is on by default @Mikey2000 Since a long time
*Thread Reply:* Thanks. Are there whitepapers regarding this?
*Thread Reply:* @Tohsheen Since when ? I enabled it on a test Core manually some month ago
*Thread Reply:* I was asking myself the same @Tohsheen .. MA is not default for us and we didn’t change anything!
*Thread Reply:* I guess he was telling TLS, and not Certificate Mutual Auth
*Thread Reply:* I only enable it when I go with Common Criteria mode
*Thread Reply:* Connection from /to device to Core is encrypted by default, that’s what was enabled a while ago
*Thread Reply:* in the old days, the provisioning port was by default 8080 but then it was moved to 443 with encryption,
*Thread Reply:* Think about it. MI Core and MI Sentry requires a paid TLS certificate to encrypt the communications from / to device to Core
*Thread Reply:* Right! Thanks for the great explanation! 👍🙌
*Thread Reply:* I had a sinking feeling we had decided to enable it by default. Thanks Raul for clarifying..back to my holiday
*Thread Reply:* there are many little options to tweak security in Core, but the default setup isnt bad.
*Thread Reply:* Very excited for this functionality.
*Thread Reply:* Keep in mind that AAD is always slower than MI Access
MI Core and Cloud finally appears on the list of approved Device Compliance Partners within MEM
Core 11 and Cloud R75 allows you to forward device posture, and it’s not a preview list
Is there really no system backup option for Sentry, like there is with Core? How can I backup/restore Sentry?
*Thread Reply:* Core delivers the complex configs to Sentry as soon as they contacts, so you only need to take care of the network config and the certificate
*Thread Reply:* Sentry is only a puppet managed from Core
*Thread Reply:* So from server perspective, you just need to take care of the system config, network and so
*Thread Reply:* The cert you use on Sentry portal doesn’t have to be trusted because it’s not exposed to internet so it’s up to you if you add a TLS cert there
*Thread Reply:* The rest is, network config, static hosts if you use them, and maybe ciphers selected (only for Core as Cloud also delivers the cipher config)
*Thread Reply:* I always say that if Sentry breaks for any reason (never happened to me before), and it takes more than 15 mins to fix it, burn it up and rebuild it. it’s very quick
*Thread Reply:* After contacting with Core, everything including the TLS cert exposed to internet will be delivered to Sentry automatically
*Thread Reply:* You say exporting config should be enough - what do you mean by that? The only things that you already mention are: Email settings, static hosts, user for the software updates.. and I thought I would need the TLS portal cert because some browsers will not let you login with the self signed.
*Thread Reply:* Sorry missed the point „export config“
*Thread Reply:* you can always log in by IP even if the cert is not trusted
Is there a way to monitor license consumption with MobileIron Core?
*Thread Reply:* not out of the box as far as I know. you can build own reports regarding that or use third party software for that.
*Thread Reply:* I would be really interested in how you guys build your own reports or which third party you can recommend.
*Thread Reply:* count active devices via API, CSV export and import or reporting database
*Thread Reply:* Well but I can’t get out of Core how many licenses we have bought, right?
*Thread Reply:* no, you need to check your billing/delivery letter
*Thread Reply:* Yes, there is - IronWorks provides precisely this, along with suggested licence optimisation calculations and other reporting capabilities.
*Thread Reply:* But not available within MobileIron itself
*Thread Reply:* Do you know how IronWorks knows the exact amount of bought licenses?
*Thread Reply:* That information is keyed in (and updated with new purchase) by the finance department
*Thread Reply:* Just to clarify, typically the finance dept at the customer’s reseller.
Anyone using this Apple watch app? This is only for users to see and manage enrolled devices, like within Mobile@Work, right?
*Thread Reply:* I tried... but it’s not that great yet...
@ChrisB [MSFT] has joined the channel
MobileIron Access VS Azure Conditional Access with Intune (only O365 cloud service) Can you name me 3 major advantages of MI Access in comparison to Azure Conditional Access with Intune.
I got this one: 1.) SSSO - Seamless Single Sign-On with Access, not SSO like with Intune
Downside with Access: ADFS is mandatory. With Intune you could also use Password Hash or PTA.
*Thread Reply:* late to this but to clarify ADFS isn't mandatory... other IDP's will do as well. We federated O365 with Okta and did DelIDP to MI Access after trying to do AzureAD conditional access with PTA. Users hated the constant pw prompts and the device trust for 3rd party mobile devices in Azure never go it to where we wanted it to be. SSSO is huge for our user base and we used MS Authenticator as the iOS SSO Broker app for all MS Office apps so its the only app that needs the VPN profile (there are some downsides to this but performance wise much better)
2) Access is faster than AAD Conditional Access. and can revoke session tokens almost immediately if device is retired or goes out of compliance
4) Core 11 can forward AAD Partner Device Compliance to AAD without enrolling to MEM/Intune, but onboarding with Access makes it super user friendly
5) Regarding using Access when AAD is the IdP, I recommend you to reach out to your MobileIron Local SE for roadmap session.
6) ZSO with FIDO2 will allow you to use mobile to unlock macOS and W10 devices
@Eliot Estep has joined the channel
MobileIron App Wrapping - we received an unsigned copy of Cisco Jabber which we have wrapped with the MobileIron wrapper. After that we have to download the script to sign the app. What is the procedure for signing? Do we have to sign the app or Cisco? We need anything else for signing?
*Thread Reply:* As it’s for internal distribution, you have to sign it with your company Apple Enterprise Developer Identity, like any other in-house iOS app
*Thread Reply:* That’s what you need to deploy iOS in-house apps though UEM
*Thread Reply:* Ah ok thank you. But there is also a wrapping tool from MobileIron where I don‘t have to sign the app myself and this will be done by MI, right?
We can’t see any MobileIron apps in the Apple App Store (Mobile@Work, Web@Work etc.) Does anyone know what’s going on?
*Thread Reply:* Hi @Phil Hackett, we already have ticket for this issue. So far no answer from MI.
*Thread Reply:* Thanks @Ladislav Blazek I’m about to open a support ticket myself 😀
*Thread Reply:* MobileIron Service Degradation - Mobileiron Apple Productivity Apps - SET-20833 New incident: Investigating A number of MobileIron customers are experiencing a degradation to the service. Currently Mobileiron Productivity Apps are temporary unavailable from the Apple App Store.
MobileIron Site Reliability Engineering is investigating the issue and will provide an update or notice of resolution once we have collected additional information.
https://status.mobileiron.com/incidents/3df57g7z8fd8
*Thread Reply:* And it’s back in the App Store....
Our operators are wrong on the devices. I have been searching for the Subscriber Carrier Network, Subscriber MCC and Subscriber MNC on the affected device details, but cannot find these three properties. Why?
*Thread Reply:* That’s strange as iOS reads the required field on SIMcard and populates it so UEM can see it
*Thread Reply:* Android doesn’t do the same so depending on the carrier you will run into issues, but on iOS it should be perfect
*Thread Reply:* Yes this is weird. We don‘t have these properties on any iOS devices. And actually the operator that is shown within the overview of all devices is disabled in the operator settings page
We want to monitor MobileIron Core and all Sentrys with Nagios. Is there a guide how to integrate both Core and Sentry? Best practices for which services can be monitored? Do we need a setup within the System Manager of Core and Sentry?
*Thread Reply:* If the Nagios software is required to be installed as an agent to do the monitoring then this isn't possible as these are locked down hardened appliances.
*Thread Reply:* Ok and if this is not required?‘not sure if this is a default requirement for Nagios
*Thread Reply:* If it’s not required you should find if Nagios supports something like syslog or similar
*Thread Reply:* You can use snmp HOST MIB
*Thread Reply:* You can monitor Core and Sentry with Nagios but only to a certain level. You can see whatever is agentless provided by Nagios (https/https and some other ports). You can also use SNMP traps. But nagios has some agents which can be installed on the host for more detailed monitoring. You could set these up using the "misupport" cmd on the sentry/core. But you will get into troubles when you need MI support afaik. Or you need to get PS involved to have this certified.
*Thread Reply:* I made a plugin for Centreon, maybe it can used by Nagios https://github.com/nosari20/centreon-mobileiron-plugin
Do we need to consider renaming this channel now that the acquisition has gone through?
At least wait and see if product names change
#IronIvanti #IvantiIron #IvantiCloud #MvantiIron #MilliVanIron #ICouldGoOnForever
Dont’ forget Wavelink Avalanche in the mix!
https://www.ivanti.com/products/avalanche
*Thread Reply:* Don’t expect that immediately or even later 😉 as MI doesn’t do everything that Avalanche does...
*Thread Reply:* There are probably better things PM can do than just EOL products
*Thread Reply:* Avalanche is great at Windows Mobile and Windows CE!
Has anyone had the error message while trying to enroll an Android Enterprise device on Core „Limit has been reached on Google Play“..
*Thread Reply:* That’s not an MI limit. It’s a limit that Google impose to deploy AE devices with a user account.
*Thread Reply:* You can enable Device Accounts, and there there’s no limit
*Thread Reply:* Ah I see.. good point! But this particular user has only 1 active device on Core. Are there older enrollments still stored on Google side somewhere?
*Thread Reply:* No idea but enrollment is linked to user, not to device.
*Thread Reply:* I can register 300 devices with the same user as long as the user have this setting enabled
HI, We use AIP for data classification. Is there a way to classify documents using Docs@work?
*Thread Reply:* Not in Docs@work, this idea has been dropped due to lack of interest from customers. but Email+ supports that
*Thread Reply:* @NicolasR Thanks for your reply. Since we are using a DLP solution for email server, any unclassified documents will be blocked. Currently we only use Docs@work as document repository in the conatainer.Do you think i can push office 365 apps with MAM policies effectively and inform users to use office 365 apps to create and classify documents from mobile devices?
*Thread Reply:* With Filepass you can use Microsoft and Mobileiron apps
Has anyone else issues with the enrollment of Android devices with MobileIron Core? (10.8 and 11) After entering the user credentials Mobile@Work brings up the error message „unable to locate. Could not connect to server . Check the data connection or the server address“. After trying the enrollment a couple of times it will work at one point. Could not find anything within the Mobile@Work logs. Any ideas?
*Thread Reply:* After trying 3-4 times the enrollment works
*Thread Reply:* I am gathering all the relevant logs to find out more
*Thread Reply:* Do you have set system alerts on Core?
*Thread Reply:* If so, so you see alerts like unable to reach MobileIron Gateway?
*Thread Reply:* Maybe related to our firewall
*Thread Reply:* For ex, I receive this alert every thursday when my router is automatically rebooted, but once that router is up, I see all services OK
*Thread Reply:* If I receive it at any other time, then something bad is happening
*Thread Reply:* For me your case looks like networking issues
*Thread Reply:* Ok so I will also enable the system events on Core. Could be helpful
*Thread Reply:* The only thing that is strange we have the exact same issue on another Core with completely different network infrastructure.
*Thread Reply:* Do you have the right amount of resources for your metric?
*Thread Reply:* Performance issues can also reproduce the same issue
*Thread Reply:* How do you mean? Like enough RAM, CPUs on Core?
*Thread Reply:* Gotta check also. Not sure..
*Thread Reply:* I have 1 customer that was having a lot of issues and now that they have all healthy, they are running a Core with 100K devices without issues
*Thread Reply:* Can I see performance issues on MICS in Core? Like a full queue or something?
*Thread Reply:* Umm, I don’t know how, outside of Hypervisor alerts
*Thread Reply:* Ok thanks very good input 👍
*Thread Reply:* If you have mobileiron monitor, you should see performance issues there
*Thread Reply:* We don’t have platinum 😜
*Thread Reply:* maybe snmp performance mibs?
*Thread Reply:* or check logs for timeouts etc
*Thread Reply:* Should be in the core showtech right?
*Thread Reply:* Do you know in which log file?
*Thread Reply:* there are no special logfiles for that. Mi.log and webserver logs seem a good start for me.
Hello, I'm trying to setup Desktop Trust for Access on our lab but I have the error "Acces received an invalid Kerberos ticket for domain: ." I check the keytab and recreate everything with realm in uppercase but the issue remains. Any idea ?
*Thread Reply:* It works for me with this GPO and the config above on Access console
*Thread Reply:* I already uploaded the keytab file created with the command in the documentation
*Thread Reply:* It’’s also true that I use the same MS CA for DJ devices and for SCEP
*Thread Reply:* I did not use gpo, I have created the registry keys manually and everything is ok in the ADA logs
*Thread Reply:* I made this video a while ago for a customer, where you first see how unmanaged or not DJ W10 devices are blocked, and how a DJ W10 can access to SharePoint with WIA, and then how it can access to SalesForce and so with the Kerberos Trust Agent and then with WIA as well
*Thread Reply:* I don’t remember to configure anything else but the stuff above
*Thread Reply:* Thank you, I will review all the configurations
*Thread Reply:* Can you confirm that you have created the keytab using ktpass /out <a href="http://access.miada.com">access.miada.com</a>.keytab /princ <a href="mailto:HTTP/access.miada.com@MYCOMPANY.COM">HTTP/access.miada.com@MYCOMPANY.COM</a> /mapuser <a href="mailto:svc.miada@MYCOMPANY.COM">svc.miada@MYCOMPANY.COM</a> /crypto All /pass ** -ptype KRB5_NT_PRINCIPAL the -ptype KRB5_NT_PRINCIPAL suppress WARNING: pType and account type do not match. This might cause problems. . Thank in advance @Raul
*Thread Reply:* https://help.mobileiron.com/s/article-detail-page?Id=kA134000000Qy4QCAS
I used a command exactly like in the example
ktpass /out access.miada.com.keytab /princ HTTP/access.miada.com@MIADA.COM /mapuser svuser@MIADA.COM /crypto All /pass
*Thread Reply:* Same as I did to create the keytab for Sentry for ActiveSync, but this time for Access Desktop trust
*Thread Reply:* I tried both, the problem seems to not be there so
Im curious if more people are experiencing Samsung S20 fact reset issue enrolled AE COPE devices after upgrade from Android 10 to 11 with MI Go 74 client?
*Thread Reply:* We have had reports of this aswell, altough via core
*Thread Reply:* I see a MI post regarding an issue registering WPCOD + KME, that is Resolved in Mobile@Work 11.0.0.1 and MobileIron Go 74.1.0.2 (not yet released?) Maybe this is also related to the COPE -> WPCOD migration issue you are encountering.
*Thread Reply:* Yes indeed, also for KME enrollment you need to add a json data in the KME profile and use the option to let MDM decide enrollment type.
{ "workProfileEnabled": true, "quickStart": true }
Cisco Jabber + ADFS + MI Tunnel question. Jabber used certificate based authentication via ADFS . Our ADFS and Jabber infrastructure are not externally published, so we want to send the Jabber client on iOS through MobileIron Tunnel. Is there still limitation for UDP? Will ADFS CBA work in this scenario? Anything else we need to consider?
Hi Mikey Split UDP works with Tunnel (packet-tunnel mode) so it means your UDP trafic is not handled by Tunnel. If you want UDP part of it, you should look at Pulse Secure 😆😉
*Thread Reply:* Hey Nicolas, Thanks - but that would mean that our Jabber infrastructure needs to be externally published, which it is not. Can you explain the Pulse Secure part.
*Thread Reply:* Well, Pulse Secure is a real full featured VPN including UDP tunneling 😉
*Thread Reply:* Cool.. but extra license right? We have platinum
*Thread Reply:* Currently the Pulse Secure part is not included in any bundle yet, but feel free to go and talk to your sales reprensetative, he will be happy to help I’m sure
@Patrick Hogeboom has joined the channel
Has anyone come across this: We use MI Core + EAS Sentry + Exchange On-Prem(Passthrough) + iOS Apple Native mail app If some users change their AD password, the mail app will not prompt for a new password and the mailbox will keep synchronized until the next day when the password prompt shows up. Why the delay? I am guessing this must be an AD/Exchange issue because the sync with the old credentials still work. Any ideas?
ActiveSync only re-authenticates once in awhile. Usually once every 12 or 24 hours… Stores a local token and uses that for sync until next re-auth
We need like 30 devices for Android Enterprise COSU - If we use MobileIron Cloud do we need an LDAP connector or can we invite users and enroll them into COSU without LDAP? We want to keep the implementation as easy as possible.
*Thread Reply:* Enable Device Accounts setting on each account and you will be able to provision N devices in COSU mode against the same account, or create different local accounts
*Thread Reply:* If you also deploy kiosk mode, you can add a variable with an identifier to the Text Banner for later identification of devices when user call HD
*Thread Reply:* Great thanks - sounds good. Where is the setting for the device accounts?
Also, how do you recommend deploying the Android Enterprise configs for COSU, COPE and WP with device groups? This is a little different like with Core. Now we use only COSU so I just deployed it for test purposes on All Devices. But when I also want COPE and WP, I need to use custom groups. I had the problem that I created a custom manual device group, but I cannot assign the group to the device right away because its not enrolled. Whats best practice here?
*Thread Reply:* Create a user group where you add users. Then create the same group for devices, with a condition of the OS and User Group membership to belong to the USer GRoup you created on previous step
MobileIron Core LDAP - we added a LDAP connection for LDAPS (636) parallel to the LDAP (389) a couple of month ago and forgot to disable/remove the 389 connection. Both are working because if we look for LDAP users within the Users tab (LDAP Entity) we have double entries for the same user. Can we disable the 389 connection without any impact like losing any user accounts? What is the normal procedure here?
*Thread Reply:* If you just change from
*Thread Reply:* If the URL is the same, go ahead. No issues
*Thread Reply:* That’s better than 2 LDAP configs pointing to the same LDAP server
*Thread Reply:* I’ve done on Core and Cloud and no issues
*Thread Reply:* Right, but we already have two pointing at the same only with different ports. So i will remove to 389
*Thread Reply:* If you want to be sure that everything is working, force an LDAP sync after removing the old config
I am having issues with the Samsung Gallery store app on Android 10 + 11 devices. The app will not show up within the Work Profile (MobileIron Core). Has there been a change I am not aware of?
*Thread Reply:* The last keeps working, the first should never be on Work Profile
*Thread Reply:* On some new enrollments it won’t get installed.
*Thread Reply:* Well, Gallery is a system app so it’s very easy to enable it manually.
*Thread Reply:* I see it on my demo S10 on Android 11
*Thread Reply:* Yes at the moment we install it via AppCatalog. I will try it via Lockdown policy
*Thread Reply:* Update: Lockdown policy works fine - deployment via AppCatalog doesn’t work for most devices.
*Thread Reply:* I always add all the package IDs of Galleries as on other OEMs it’s different so better enable all of them
*Thread Reply:* If you don’t need to configure an app, like GAllery, it’s always better to enable them via Lockdown policy
*Thread Reply:* For Chrome, Samsung Email and so, then deploy the app as a corp app
*Thread Reply:* Right thanks. For some devices the installation of Chrome also fails. Other work profile apps on the same device work, only Chrome fails.
*Thread Reply:* It fails when Android WebView is not updated before to install Chrome.
*Thread Reply:* Once that it’s updated, Chrome installation happens
*Thread Reply:* How can we upgrade the WebView? Manually via Google Play?
*Thread Reply:* For DO mode devices it’s tricky but for COPE we recommend user to add a personal account to personal side as this should trigger update automatically, or simply wait as this will happen but will take time
*Thread Reply:* So for work profile it should be easy right?
Now that MobileIron has been acquired, I suppose it’s time to go back and dig up some photos/videos from the good ’ole days. Came across this one today, which was at a company event/dinner where the theme was a ❄️ snowball fight ❄️ 🙂
*Thread Reply:* M1 - The first user conference! 2011.
*Thread Reply:* I remember this. I attended as a Partner and will have to see if i can dig up any old photos from this event.
*Thread Reply:* yeah one of the best conferences that i attended
Is anyone using SAP Fiori (Store app) on iOS?
*Thread Reply:* I have the PLIST basic auth. but we use ADFS CBA with SAP. Could not find anything if SAP has KVP to support this
Hi,I had reported an issue with MI core and support team confirmed this will be resolved in the future core release and provided a JIRA id.What does this id mean?
*Thread Reply:* This means you reported a bug or feature not implemented that will be on future future versions of Core
*Thread Reply:* You can reference this ID at a later date to ask for an update on it.
So a customer of mine just added a Whitelist string to the Honeywell OEM Config in Core and now it’s coming back with this. @NicolasR I know there was an issue with Core 10.8.0.0 similar to this. Has anyone encountered something similar here?
*Thread Reply:* I would recommend re-enrolling the devices with a different method other than DPC identifier so that the system apps like OEMConfig and the camera are left enabled
*Thread Reply:* I heard the same customer to complain around christmas even with the patch but the issue was gone by itself with no further action
*Thread Reply:* @NicolasR apparently it’s persisting. They’re going to launch a support ticket to dig deeper
*Thread Reply:* @NicolasR closure: they were able to resolve via direct fix in the DB
Question MobileIron Core + Knox Mobile Enrollment for Work Managed Device with Work Profile: Should a filter label with Registration Status = Managed Device with Work Profile work as a filter option within the label after enrolling a device via KME. The device will not be applied to the label. Of course I have a diffenent label for COBO with filter option work managed device and it will always land in that label. Shouldn’t the JSON field workprofileEnabled:true take care of this that it will be WPOCD from time of the registration or is the other label interfering?
*Thread Reply:* The attribute is not set until the device is fully enrolled. Hence you can’t use it as a dynamic label to distribute configurations like the AE configuration. Doing so will lead the factory resets.
*Thread Reply:* Gotcha.. thats what I thought. Not sure why I need to enter that JSON data on KME for WPOCD. How can I use dynamic COBO and COPE labels at the same time? I can’t use manual labels because I don’t know when the user enrolls the device.
*Thread Reply:* You need to enter the JSON as KMEs enrollment model is DO. COPE was based on DO, but with Android 11 changed to PO (profile owner). Hence the JSON is needed to make sure a Work Profile is created instead of the device enrolling as a COBO device.
*Thread Reply:* What about a dynamic label that is the same as the COBO label instead using != Would that work? Never tried it, but it might work, unless you also have BYOD
*Thread Reply:* Yes I have also BYOD, but I covered that with != Work Managed like you mentioned. But since COBO and COPE are both Work Managed at first, I cannot use the !=. I would need a second filter option to bind COPE. But I don’t know which one. Is there something I can set in the KME JSON so I can identify the devices when they hit Core? This is a tricky one.
*Thread Reply:* I think this is the solution:
*Thread Reply:* Would be interesting which label filter property key1 is - @Raul I am sure you know this. Spain is you environment, right? 😜
*Thread Reply:* But it looks like that attributes are not supported for Work Managed with Work Profile - confused:
*Thread Reply:* WPCOD doesn’t support custom attributes, afaik
*Thread Reply:* Even when the current method to register WPCOD devices with KME, ZT and QR code will change in the near future for good, as per today you need a dedicated KME profile and so on for WPCOD
*Thread Reply:* So you can actually apply it to all devices that will be targeted as WPCOD
*Thread Reply:* Right, so: -have 2 different profiles in KME for old COPE and WPCOD -have 2 different labels on Core for old COPE and WPCOD. For the old COPE we can use custom attributes via KME JSON. And for WPCOD we have to use a filter option like AD groups or device serial numbers or something that might work. Because the registration status „work managed with work profile“ won’t work.
*Thread Reply:* did you added also the condition of Android enterprise capable = true to the dynamic label?
*Thread Reply:* In any case, that’s going to be a temporal WA as on future release of Core and Cloud, Android 11 device will be handled as DO in any case and after registering, it will receive the command from server to turn into WPCOD or remain as DO
*Thread Reply:* No I didn’t. I thought this was only relevant everything lower Android 6 (or 5.1)
*Thread Reply:* Nope, it’s required for timing thing when you send AE config to provision devices to DO, COPE, etc on a timely manner
*Thread Reply:* In any case, keep in mind that if on Android 11 we are no longer able to send attributes during provisioning, you should make your own approach with labels
*Thread Reply:* I guess that once that ZT portal is integrated as iFrame into UEM, this will be easier
*Thread Reply:* AS you can even provision SAmsung Devices from there
*Thread Reply:* Do you know when the iFrame integration with ZT is happening on Core?
*Thread Reply:* Still no idea as Google opened it at the end of dec
*Thread Reply:* Good info Raul, thanks!
*Thread Reply:* Could OEM config help in this case?
@Thomas Steinmetz has joined the channel
@Martijn Rijerse has joined the channel
This might be a very stupid and rookie question, but how does an Admin re-generate a registration PIN for MI Cloud? Cannot find an action for that. I have reveived one after the first invite, do I need to invite again to receive another PIN for a new device?
*Thread Reply:* Hey, I think you have to invite him again
@Massinissa Menas has joined the channel
Anyone here setup the new Android 11 WPoFMD workflows that are replacing COPE for MI? Everything I do seems to be going full managed work profile only
*Thread Reply:* How are you enrolling the devices? QR, KME, ZTE?
*Thread Reply:* you’ll need to pass the json string {“workProfileEnabled”:true} to the MobileIron app during enrolment.
*Thread Reply:* Screenshot from KME:
*Thread Reply:* You have been using the wrong APK url for the M@W client. The good one is the “nfc” url
*Thread Reply:* yeah so I'm using the NFC url I believe and work profile enabled is set to True
*Thread Reply:* KME not in place at the moment, expect no issues once I get that piece in place but relying on QR for now
*Thread Reply:* Yeah, built QR using MI Provision, then built another using straight JSON, both behave the same - fully managed work device, no profiles
*Thread Reply:* despire the WorkProfileEnabled:true and the config in MI dictating it
*Thread Reply:* have a call with MI later may be able to get to the bottom of it - We're on Core just updated to 11.0.0.1
*Thread Reply:* And the Android Enterprise config they get does have Work Profile enabled too? Labeling correct ? I have had no such issues so far with Core or Cloud so long as Work Profile Enabled was set to true in either KME or the QR
*Thread Reply:* Interesting - might blow it all away and start from scratch
*Thread Reply:* Some of their enrollment workflows predate me
*Thread Reply:* Oddly enough we got this working on Android 11 using Provisioner QR, but were unable to get it working using the raw JSON QR, though Android 10 liked the raw JSON QR just fine. 🙄
*Thread Reply:* thanks for your help @Mark Vonk
*Thread Reply:* By the way M@W 11.2 (April) will fix the Android 11 behavior for enrollment
Folks any experience here on managing non AE android phones in MobileIron? Is it as fully featured as WS1 and are MobileIron giving it any love?
*Thread Reply:* MI like WS1 is expected to turn down support for legacy DA this year, probably not to the degree of VMw but nevertheless. As well as this, since Nov last year the agents have required to target Android 10 in Play, rendering older DA APIs unusable.
If you're talking Samsung and integrated Knox APIs you'll likely be OK, but it's not a super experience.
*Thread Reply:* This is for management of Huawei devices.
*Thread Reply:* I thought VMware were maintaining support for DA for legacy builds like field forces using Zebra/Honeywell devices?
*Thread Reply:* Yeah but it's fully self-supported based on their docs. DA remains for existing customers, it's just not officially supported by default
*Thread Reply:* Google require any UEM on AER to completely remove DA for all Android versions in 2022, and on Android 10 in 2021
*Thread Reply:* Hi @Raul does that mean that the AER UEM's would no longer be able to offer an emrolment and management option for AOSP devices or am I missing something?
*Thread Reply:* There are other ways to manage those kind of devices.
*Thread Reply:* so if an org needed to manage chinese phones for offices in china with their UEM they could be out of luck or could another option be looked at. Asking for a friend 🙂
*Thread Reply:* I know, that’s why you can use a model similar to DO mode,
*Thread Reply:* made for China and for closed networks
*Thread Reply:* ah OK so the lieks of the closed networks offering from WS1 might still be on the table
*Thread Reply:* If the management is more similar to AE on DO mode than to DA, then yes
*Thread Reply:* At least MI is investing to keep supporting China devices while they keep making Google happy
*Thread Reply:* I guess that also other vendors will do the same
*Thread Reply:* Cool so Google's requirement to completely remove DA for all Android versions in 2022, and on Android 10 in 2021 would not force WS1 to remove offerings around closed networks to meet the AER UEM criteria then?
*Thread Reply:* I guess that yes. The idea is to deprecate the APIs
*Thread Reply:* But there are other APIs to be used
*Thread Reply:* more close to the AE model of DO mode
*Thread Reply:* Interesting to see how it plays out. I have a couple of use cases around this primarily for Chinese markets. My worry was OEM's that did not invest like Samsung in a strong set of OEM COnfig capabilities like KSP would be extremely limited to offer a supported management model
*Thread Reply:* > OK so the lieks of the closed networks offering from WS1 might still be on the table Yes, this is still AE, but without managed Google Play. Device APIs only. > My worry was OEM's that did not invest like Samsung in a strong set of OEM COnfig capabilities like KSP would be extremely limited to offer a supported management model An increasing number of OEMs are going to OEMConfig, but for closed network the apps will need to support pushing a config XML file.
*Thread Reply:* Thank you gents, you have given me food for thought
@Michael Schiefele has joined the channel
We have a new SharePoint server configured to use Kerberos authentication. There are multiple web applications on this single SharePoint host.Now i am trying to configure kerberos for sharepoint on Docs@work(iOS) as per the documentation provided by MI however i see http503 errors while accessing the sharepoint from docs@work using kerberos (Accessing sharepoint using basic authentication is working fine).Question is should i point sharepoint host as SPN or i should point each web application as SPN's?
*Thread Reply:* I do have this scenario deployed and both W@W and D@W can open SharePoint sites through Kerberos.
If you have 1 url for all webapps, you should be able to open all creating a Sentry service and delegating the Sentry service account to connect to SharePoint server SPN
If you have 1 different URL for each web app (which is the most professional way to do), you have to create a different SPN for each one and grant delegation access to each one from Sentry Service Account.
*Thread Reply:* @Raul Thank you for your reply. We do have option 2.I dont have visibility to AD and our system admin has said that he is not able to add SPN of the web application for delegation under sentry service account as this are not machine accounts. How do we achieve that?
*Thread Reply:* https://www.noralku.net/2016/05/08/sharepoint-20132016-kerberos-authentication/
*Thread Reply:* Once that you have the SPN of each SharePoint URL properly configured, you can delegate them to Sentry service account.
*Thread Reply:* On iOS with W@W or Safari you will need iOS SSO applied, which is not KCD, but native kerberos, and works as well.
On D@W you just need to create the services, like on this example of OneDrive
*Thread Reply:* Dear Raul, Sorry to keep bothering you. I have now added SharePoint URL's under MobileIron service account delegation however docs@work is keep prompting for credential whenever application is launched. In debug logs, I can see 'not forwarding TGT for delegation because ..... not applicable(doing S4U2Proxy). Any thoughts on this error?
*Thread Reply:* I am supposed to see only FQDN of the web application under delegation tab
Core 11 - what is the background of the message „enable full windows and macos managment. Activate now“ Where can I find info about that?
*Thread Reply:* I see the same in Core 11.0.0.0.1 - everytime I dismiss it forever it comes back next login haha. I think it wants admins to walk through the basic enrollment configs for mac and windows but not 100%. I refuse to activate 😂
*Thread Reply:* that should go away provided you use the same browser it will remember the preference. You should be able to raise a support ticket to disable that banner
*Thread Reply:* This is for the MobileIron Bridge feature, now included with Secure UEM licences.
Just enrolled my first Android 11 device using KME. In the KME profile I added {"workProfileEnabled":true,"quickStart":true} and selected 'Let MDM choose to enroll as a Device Owner or Profile Owner'. Device configures OK, with 2 profiles. However, the Mobile@Work app does not automatically launch for registration. Need to open it in the Work Profile and enter the registration PIN. Is this working as designed or am I missing something?
*Thread Reply:* That’s because we are still on phase 1 of support of WP-C
*Thread Reply:* During April it will be addressed on Core and Cloud, where device will be provisioned as DO mode (aka the flow you know for COPE and DO devices up to Android 10), will force user to register, and then UEM client will convert device into WP-C
*Thread Reply:* Then you will not need the parameter on json
*Thread Reply:* On Core it will require only M@W 11.2. No Core update is required.
On Cloud it will come within R77 and Go R77.
All will be released in April, but for sure beta of M@W 11.2 will be released before.
*Thread Reply:* Thanks a million Raul!
@Alexander Wendling has joined the channel
Anyone know if Core supports the ability to assign an identity cert for WiFi via PKCS?
*Thread Reply:* If you mean single identity certificate uploaded to Core then yes, it is supported for Wifi, VPN etc.
*Thread Reply:* Yes, single identity cert. However, can the bundle be created/issued dynamically like Microsoft Intune does with their Cert Connector?
*Thread Reply:* No, this is manually uploaded file only. If you need automation, then SCEP is way to go. It doesn’t mean it needs to be direct (device -> CA). MI Core can act as middle man.
*Thread Reply:* Basically Core will handle the cert issuance and provisioning.
*Thread Reply:* Yeah, have a customer that stood up a new PKI and no NDES
*Thread Reply:* Ahhh… but MI Core need NDES for this.
*Thread Reply:* They’re moving to Intune and it utilizes their PKCS capabilities.
*Thread Reply:* I see… so technically you need to use DCOM protocol - not supported by MI, only SCEP.
*Thread Reply:* Yes sir! That’s what I was getting at
*Thread Reply:* everyone is migrating to Intune… /rant
*Thread Reply:* Migrating.. but the question is will they stay 😉
*Thread Reply:* Hey, some people need to taste a bad beer to appreciate the good ones
*Thread Reply:* Every customer that comes to me with the statement “I’ve tested Intune” always finish it with “And I don’t like it. That’s why you’re here” 😂
Enrolling Zebra OTA with Core - one requirement is that the managed device has been added a Google Account within the Android Enterprise configuration. Why do we need this? That would mean we would need a managed domain with Google, right? We have setup Android Enterprise without registering a Domain with Google.
*Thread Reply:* Its a pretty complicated procedure still requiring two zebra apps to be distributed from Managed Play with Managed Configs
*Thread Reply:* If MI supports .ZIP based firmware updates then I would recommend that path since LifeGuard OTA still has a long way to go
*Thread Reply:* Not only do you need a AE binding and the devices to have access to the play store you also need the end customer to register a Zebra portal account and for the devices to all pass validation that they are under an active support contract before they are eligible to receive the updates
*Thread Reply:* Screenshots taken from SOTI’s Managed Play iFrame, but the concept is the same
*Thread Reply:* Thanks Matt. I will take a look at this! ✌️
Anyone been using the MI Cloud API today? Tried to utilize it earlier to onboard a few devices (with EBF Migrator) and it was seemingly acting up
*Thread Reply:* Yup, all our IronWorks customer ingests worked fine this morning - their EU instances, if that helps?
*Thread Reply:* @Jason thanks for the report back. I’ll give it another try today!
Is it supported to use the KVP like HTTP_PREFIX: mibrowser with ANY app that was wrapped with the AppConnect SDK or is this app specific and not related to AppConnect? We would like to open all links within an AppConnect wrapped app to open with Web@Work.
*Thread Reply:* well, there are 2 ways to do so.
mibrowser and mibrowsers:// URL patterns are declared by app developer and belongs to W@W so you can call it from any link.
You can develop your app adding a managed config that, without changing the URL links that the app shows, force the app to always open links within an specific browser (W@W).
*Thread Reply:* Ex, I can add a KVP to Email+ to always open any link on mail with W@W, even when those links are of type http:// or https://
*Thread Reply:* If your developer is good, it’s always better to add this feature within your own app
*Thread Reply:* Right I see. So in our case that might be a problem because the wrapped app is not our development, it is Cisco Jabber.
*Thread Reply:* Be careful with this as wrapping apps without developer permissions is a violation of the ToS
*Thread Reply:* We have signed a deal with Cisco
*Thread Reply:* Otherwise we would not have received the binaries
soooooo just exported our device list with Advanced Details and noticed a field labelled passcode that to my absolute shock listed 6 digit passcodes.... has anyone seen this and can anyone tell me what I'm actually seeing there before I have an existential breakdown...surely I'm not seeing a user's passcode...right? RIGHT!?
*Thread Reply:* This is a PIN if you use PIN based registration
*Thread Reply:* So just to clarify, no, not their passcode. It’s their PIN for PIN based registration
*Thread Reply:* Thanks @Jason @Florent N. my blood pressure is coming back down
*Thread Reply:* It’s impossible to gather Unlock PIN codes
*Thread Reply:* They are simply registration PINs as the rest of folks mentioned
*Thread Reply:* That CSV is cool to get when a PIN is about to expire, btw
^ Hey, that was my suggestion months ago! 😉
Couldn't pretend it wasn't happening any longer @Jason 😉
How do you guys handle shared mailboxes with Office 365 and mail clients? On iOS we now use the native client and on Android Enterprise Email+ v3. Can we use shared mailboxes with this clients? We don’t want to switch to the Outlook app
Native mail for sure supports multiple mailboxes. But you need to be able to “login” to each… If you use certificates you can issue “SharedMailboxAccess” certificates to your users to enable auto-login to a different mailbox with no username password
*Thread Reply:* Thanks Peter. But isn’t it the case when you create a shared mailbox in O365 (which needs no license) you don’t get a password but the users which have been granted access can authenticate with their standard O365 password? We don’t have certificates with Core yet.
*Thread Reply:* Shared Mailboxes come in many shapes and sizes… Some have an underlying account some don’t. Some apps require “Full access” in order to access them (Outlook Mobile App being one) while others need just “Delegate” or “On behalf of”.. (Desktop Outlook)… AFAIK ActiveSync only allows you to connect to mailboxes with accounts behind. You can’t login as userA and get access to userB’s mailbox (over ActiveSync). We provision devices with certs for userA and userB in this case. Each configuring it’s own mailbox
Ivanti ad popped into my Facebook feed. All normal, I’d suppose. It’s the comment that made me laugh 😆
*Thread Reply:* This may deserve a Jim Philips emoji :legend: hahaha
Is there 2-Factor Auth for Admin Login with the Admin Portal on Core?
*Thread Reply:* Not without an IDP, or without MI Access.
I’ve enabled ZSO on MI Core so I can leverage QR code or MFA.
*Thread Reply:* Great thanks. ZSO is part of the new Secure UEM Premium bundle right? If not, we have to federate our Core with ADFS and use ADFS MFA, right? Is there a guide for that?
How can I remove certain devices from a default label like iOS? Can I edit the default label?
I found this where a new label with the exclusion is created:
https://help.mobileiron.com/s/article-detail-page?Id=kA134000000Qx8VCAS
Is there no impact for the devices if I add the new label to the configuration and remove the old label from the configuration - in my case I have an Exchange config on the default iOS label. Will that cause a re-push of the mailbox if I change labels?
*Thread Reply:* If you first add the new label and then remove the old label there is no impact at all (besides the fact that the Exhange config is removed from the excluded devices in the new label of course). No re=push of the mailbox.
*Thread Reply:* Excellent advice from Almar, I would caveat that you co label the Exchange config for as long as you can until all active devices have checked in (When doing this with customers I suggest 2 weeks) - this lets you manage the exceptions of devices that lose the mailbox for up to 4 hours by ensuring no impact on regularly active devices
*Thread Reply:* Worked like a charm! Thanks 🙏
We have a self development internal website which we made accessible via MobileIron Tunnel. The website will be displayed correctly within Safari, but not within W@W. I thought W@W is based on the Safari engine, but obviously there are still some limitations. I have tried a couple of KVP for W@W (like Cookies, Javascript, etc) but still not change. Any ideas how we could troubleshoot this in order to fix it? If that is even possible.
*Thread Reply:* Have you tried changing the agentID of W@W to mimic Safari?
*Thread Reply:* Great input - no I didn’t. Is that KVP in the docu?
*Thread Reply:* Found it and tried this one:
Mozilla/5.0 (iPhone; CPU iPhone OS 1442 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Mobile/15E148 Safari/604.1
Still the same.
*Thread Reply:* what is the system behind your webserver? SharePoint or which one?
*Thread Reply:* That I don’t know. I have to ask the product owner. It is not a Sharepoint. Is there a limitation or why do you ask that specifically?
*Thread Reply:* websites that works on Safari usually works as well on W@W as now both relies on WKWebView library
Can anyone confirm if Email+ for iOS is able to support modern auth to access O365 via IMAPS?
*Thread Reply:* IMAP ? ActiveSync; yes sure. But IMAP? It’s 2021 @Woody ! 😁
*Thread Reply:* @Mark Vonk You’d be surprised who is operating on IMAPS + OAuth these days. If you aren’t using the client specifically designed for your service (e.g Outlook/Gmail) there aren’t a whole lot of other options.
*Thread Reply:* No I do not think oath works for IMAP
*Thread Reply:* @Mark Vonk Check out GMail inside the iOS/iPadOS Mail client 😉
*Thread Reply:* I meant that MI Core does not seem to support oauth for IMAP. At least in the UI there is no option for it.
*Thread Reply:* Ahh yeah, that’s all handled client-side when you push the Google Account config to the device
*Thread Reply:* But agree, I’m not seeing much in terms of Email+ for iOS being able to usher-in an O365/GMail account using modern auth. It’s EAS or nothing
MobileIron Core - changing port 8080 to 443 for CRL - any device impact?
*Thread Reply:* Yes. CRL should not be published with SSL in general. But yes, it does impact it. You will need to re-push all client certs.
*Thread Reply:* I see.. An external audit flagged 8080 for CRL.
*Thread Reply:* Because you would than also need a CRL for the CRL.. literally speaking
*Thread Reply:* CRL, like certificates, are objects which are always signed, and never used without verifying that signature, so they can be served over plain HTTP. Using HTTPS to serve CRL is just wasted resources; it may even prevent CRL download from working since some implementations (e.g. Windows) refuse to follow HTTPS URL when validating certificates (be it for CRL, OCSP, or extra intermediate CA download), because that would mean SSL, then another certificate to validate, and possibly an endless loop.
*Thread Reply:* Thanks Mark! That explains it!
*Thread Reply:* It looks like with newer versions of Core the CRL is default 443
*Thread Reply:* I think that the sentence from the article is “you’d fall into an endless loop”
*Thread Reply:* This is the answer to that question from a MS MVP on the internet.
“Use HTTP since Microsoft clients no longer support HTTPS for downloading CRLs. Think about it, you are setting up a chicken and the Egg scenario. 1) I need to download the CRL 2) Oh the site is protected by SSL 3) Look the SSL certificate has a CDP extension. 4) Goto Step 1
Remember that a CRL is a public domain object and contains non-privacy information.”
*Thread Reply:* But why is Core using 443 for CRL as default with new versions then?
*Thread Reply:* I’d open a ticket with MI Support to ask that
*Thread Reply:* I have installed a new version in my lab and there is 443 default - this confuses me.
*Thread Reply:* Since Core 10.5 it should default to 8080
*Thread Reply:* Reachability of Local Certificate Authority CRL distribution points: The default port and protocol have changed for provisioning Local CA Certificate Revocation List distribution points (CDPs). The System Manager now configures CDPs to use port 8080 and protocol HTTP by default. Previously, the defaults were port 443 and HTTPS. Local CA CDPs that were configured to use HTTPS through port 443 will still be reachable. For more information, see “Port Settings” in the MobileIron Core System Manager Guide.
*Thread Reply:* So Core 10.5+ should install CA CRL over http by default, to avoid issues
*Thread Reply:* Twitter reveals they have released updated versions of the code with current certificates ~3 hours ago
*Thread Reply:* @Caryn Makes you wonder if something/someone was disgruntled as part of the acquisiton
By chance, anyone having issues enrolling Apple devices to MobileIron Cloud? Edit: It seems to be specific to the NA2 cluster
*Thread Reply:* Attempting via web-based and User Enrollment (kicked-off from the MI Go App) and seeing the same result
*Thread Reply:* Also tried using Cellular and WiFi. Same result. Really odd
*Thread Reply:* Received a few of these today in Core
*Thread Reply:* just a fluke on our side
*Thread Reply:* Interesting @Justin Butts. This one was weird, because it’s in the MI Cloud hosted environment
*Thread Reply:* Still continuing to be a hit-or-miss scenario
Is it possible to configure kerberos for Sharepoint on AE docs@work without Hypergate,if i use app connect and do not use web-view?
*Thread Reply:* @mahiroux IIRC (and it has been awhile).. Docs@Work enabled with AppConnect would connect with the Sentry which would use an identity certificate.. which could be configured in the Sentry to use Kerberos for the SharePoint site/URL.
*Thread Reply:* AppConnect is not supported within Android enterprise. The only viable option is hypergate right now.
*Thread Reply:* Looks like apptunnel is still supported in AE docs@work.I am still able to connect backend services from Docs@work.
*Thread Reply:* It might work, but officially it is not supported. See: https://help.mobileiron.com/s/article-detail-page?Id=kA13n000000PQSACA4
*Thread Reply:* AFAIK appconnect for Android is only maintained to service customers still on DA
MobileIron Core -> Security Policy > If a device has not connected to Core within x days is enabled with „Block Email, AppConnect apps and Send alert“ If we look under ActiveSync within Core, users which have violated this rule still have the status ALLOWED. Shouldn’t this be set to blocked? We use iOS native mail - FQDN is Sentry. The alert is working - Core is sending this alert
*Thread Reply:* Hi Mikey, the block is being done by the Sentry server stopping the connection. Does not affect the underlying ActiveSync
*Thread Reply:* Thanks Steve. But since the mail client connects to Sentry, it should be blocked, right? I don’t understand the purpose of Sentry in this case if EAS will not be blocked
*Thread Reply:* The clients talk to the Sentry and then the Sentry talks to EAS. If the Sentry blocks the connection then the client does not get email as there is no route for it. Exchange itself knows nothing about this block
*Thread Reply:* Right thats is exactly what I mean. But the device still can sync emails via Sentry and the ActiveSync status on Core is not blocked even though the alert was triggered
*Thread Reply:* Maybe the device has been manually allowed. The block in that case won't be executed. Delete the activesync device on Core and once the device connects again,, it should be blocked now. Never manually allow ActiveSync device as it will break the automatic Block feature.
Some of the OPPO phones,users have personal apps such as Facebook in work profile.How do we disable personal apps appearing in the work profile?
*Thread Reply:* In the lockdown policy you can define a blacklist of system apps to block.
*Thread Reply:* Do i need to blacklist all package ID of system apps?I am wondering why would Facebook and Gamespace considered as system app in OPPO?
*Thread Reply:* It varies by manufacturer, device and Android version which apps are deemed system apps. With Samsung on Android 11 Facebook is also a system app. I do not understand this either. I believe @Jason Bayton is passionate about this (ab)use too. Anyway, yes you need to add the package identifiers, like you did in the example 👌
*Thread Reply:* @Mark Vonk Thanks.What is the easiest way to get the package Id of this apps.We have a BYOD policy and users are coming up with as many brands are available in the market.
*Thread Reply:* I use an app like the following to find the app id: https://play.google.com/store/apps/details?id=com.csdroid.pkg Unfortunately with BYOD, you can't disable all system apps upon registration. This is AFAIK only available for Device Owner enrollments.
*Thread Reply:* Reach out to Oppo support to raise it with them as officially as you can. Send me screenshots showing the issue and I'll escalate with Google also. They've screwed up the vital app config either accidentally or purposefully
hello everyone, I have the following problem with webdav and docs@work under iOS, Mobileiron Core v11.1, configuration created in MobileIron core etc., as soon as I call the site in docs@work comes the authentication after entering the credentials comes again the popup with the authentication the whole thing in an endless loop on the sentry at the trace you see anonymous 401 error, the whole thing about safari or chrome browser or other webdav apps works, only docs@work just does not want, under android runs the whole thing, knows this behavior who?
Hello, I have removed some of the apps from ‘ Silently install for mandatory app’ option for Android enterprise deployment.Post this change,newly enrolled users do not see these apps in Managed play store however existing users who were already using android enterprise see the apps even if they register a new device.Has anyone noticed some behavior?
@Gianmarco Cerruti has joined the channel
Hello everyone! I am a sporadic user of MobileIron, I was setting up an Android 9 device in Fully Managed mode and I was wondering is it possible to block the use of an app? For example on this device Facebook is installed natively and I don't want users to be able to use it. From what I see I can blacklist the app and receive a non-compliance notification but not block its use. Are there any other configurations to set? Thanks!
*Thread Reply:* Hola @Gianmarco Cerruti - Are you using Zero Touch? You can use the DPC Options to configure whether the system apps are enabled/disabled, etc https://help.mobileiron.com/s/article-detail-page?Id=kA134000000QxOmCAK
*Thread Reply:* You can disable it from Lockdown if Core or restriction config if Cloud
*Thread Reply:* If you want full control over the device and apps, it’s easier to just disable system apps and usher-in what’s needed. Then you know the bloatware is off the device and you’re in full control of what apps are installed/available for request to install.
*Thread Reply:* Thanks everyone! For these devices I disabled the app from the restrictions. In the future I will consider to disable them directly in the enrollment phase, but I think it is possible only for KME Samsung or Zero Touch AE, or I can from MobileIron regardless?
*Thread Reply:* Hi, using QR code for Device Owner mode there is a tickbox inside the MobileIron Provisioner app that lets you remove system apps, it is not Knox or Zero Touch dependent
*Thread Reply:* Perfect! Can I kindly ask in which menu I find the QRcode configuration for enrollment on MobileIron cloud console? thanks!
*Thread Reply:* Good one, @Steve Hayton! Yes, all that is initiated via the QR code that is generated (for whatever system you are enrolling into). In this case, the MI Provisioner App. Others dynamically generate the QR code inside the Admin/management UI, etc.
*Thread Reply:* thanks Woody, all done and confirmed working :)
Does anyone know if Citrix Workspaces supports iOS Managed appconfig for the server URL?
*Thread Reply:* It doesn’t Citrix now have some fancy e-mail discovery config thing online
*Thread Reply:* https://www.citrix.com/blogs/2013/04/01/configuring-email-based-account-discovery-for-citrix-receiver/
*Thread Reply:* Thanks! I was hoping to pre populate our Citrix cloud tenant for the iOS app so users do t have to type it in
*Thread Reply:* Figured I would share in case this helps anyone. Figured this out with the help of Citrix
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>url</key> <string>companyurl.cloud.com</string> </dict> </plist>
*Thread Reply:* should have tried URL but I tried almost every other permutation of it lol
Anyone else seeing this? After upgrading Core server to 11.2 for some reason all Exchange ActiveSync profiles are modified and send to all devices. This leads to a full sync when using kerberos authentication and users having to enter their password when using basic authentication.
*Thread Reply:* Hi, I did our live (Exchange ActiveSync through a Sentry to Google) and Demo (Exchange ActiveSync through a Sentry to Office 365) yesterday with no Exchange profile modification/resend. I don't have a test with on prem any to test your specific use case but as far as I can tell this is not a global "Exchange Config" issue
*Thread Reply:* I received a notification from a certain local ACN about this …
*Thread Reply:* This is concerning - we have core updates due soon.
Is there a way to find out via CLI if the access to the admin portal of Core was restricted and is only accessible for certain IP ranges? We can’t access the admin portal anymore and I suspect one of the other admins misconfigured this within the System Manager of Core.
*Thread Reply:* Did you try ‘show portalacl’ in enable mode?
*Thread Reply:* It shows you the current acl rules.You can also change rules in config mode.
Hey folks, seeing some really stupid behavior with AE Work Profile enrollments on Android 10 and 11 Samsung devices of varying models on Core 10.0.0.1. Apps approved and deployed through AE no longer show up in MGP store on devices. Search for the app - nothing, only MobileIron and Webview Services (I believe it was). Have refreshed Google cert, updated play store services etc, collected logs. At this point MobileIron is escalating to Google which is...frustrating to me. Anyone else see this or experience something similar?
*Thread Reply:* not strictly mobileiron related but had something similar with WS1 before they put a fix in, that if you had an auto app update policy mixed in with any other policies it would cause issues and no apps will appear in the stores. The app update policy had to be seperate. Not sure if the same issues were seen across other MDM's but perhaps that could be a starting point.
*Thread Reply:* After updating Google play and the webview, do the other apps show up? What version of Google play store is installed?
*Thread Reply:* I have noticed some what similar behavior.However apps get installed and are available in MGP when ‘silent install apps for mandatory apps’ option is selected but its rationale was not understood.
*Thread Reply:* @Mark Vonk No other apps show up, Play services have yesterdays update, but issue existed prior as well
*Thread Reply:* @mahiroux yes, silent installs and the apps come down...usually....but cannot see them in the MGP store at all
*Thread Reply:* and don't want to silent install everything haha
*Thread Reply:* Did you by chance setup a Custom Store Layout (for example via the MobileIron iframe play store ui). If you did create a layout, I'm not quite sure if it can be undone so that all newly added apps are automatically added. Possibly a ticket to MI so that they can escalate to Google to clear the collections back to 'basic'
*Thread Reply:* Just to update this thread - Google has been involved for 3+ weeks now, and has so far been unable to fix this. I am having a really hard time with how this isn't a widespread issue
*Thread Reply:* Seems to be specific to MI Core - have not heard of this from other mdm vendors
*Thread Reply:* Is this is a relatively new Enterprise Google ID used for managed Google play?
*Thread Reply:* It's existed since at least late January
*Thread Reply:* worked as expected for a few months then...this
*Thread Reply:* did you update the config file that looks at the user agent? what does it look like?
*Thread Reply:* You mean config file of the existing relying party trust?
*Thread Reply:* no there is a config page update you need to make for adfs page so it routes only mobile traffic to this relying party.
*Thread Reply:* MI Access tries to obfuscate the change but the ADFSWebTheme change outlined in the instructions does this
*Thread Reply:* make sure that is only made to the relying part intended to and not the default web theme
Warning: the SSL certificate for support.mobileiron.com expired. So currently no Core/Sentry upgrades and KME enrollments possible. For KME I changed the download URL to https://play.google.com/managed/downloadManagingApp?identifier=mobileiron.core for now.
*Thread Reply:* Certificate has been renewed, problem solved.
*Thread Reply:* Ivanti clearly still learning the ropes with their new acquisition
*Thread Reply:* reason #3,894 I can't wait to leave MI behind
Is it possible to use Multi-user Secure Sign-In for iOS for MobileIron Cloud where Microsoft apps gets uninstalled AND the user logged in is removed (cached user credentials)? Seems that you need to manually log off from an MS app and then you get logged of completely.. What I want to accomplish is that when next user signs in, the Microsofts apps gets reinstalled and the new user needs to sign in into MS-app.
@Yth I’d be curious to know if it’s possible with Microsoft apps. I found no way to force this with Google accounts.
Are you able to use iPadOS/Shared iPad? That’s really the direction people need to start learning towards.
*Thread Reply:* Customer is not using Managed Apple ID:s for now and I need to find a solution when user gets logged out - MS apps gets removed - next user signs in - MS apps gets reinstalled and no existing account is logged in in the MS apps
*Thread Reply:* Yeah / For my customer with GSuite.. it just came down to reminding users to log-out of their account when they finished using the device. Not perfect by any means, but they too did not not have managed IDs.
This is from the device logs on Core - does this mean the user removed the MDM profile?
@Mikey2000 That appears to be Core programmatically removing MDM profile from the device.
Anyone see access to the system manager\admin manager portal running slowly there was an upgrade done ~5-6 weeks and all went well just giving a LDAP resync error, anythings I would need to try (vms are hosted by customer, worth doing a reboot or is something else at play here)
Core is at 11.0.0.1 and Two sentries at 9.9.0
Found an article in MI University
MobileIron Core: Slow Dashboard and Devices Tabs After Upgrading to Core 11.x
Just wondering if anyone has seen this recently? And what remediation steps they took, thanks in advance
@Bill Fitzgerald you will need to allow outbound access to pcs.mobileiron.com which is covered off in the article
Thanks Ala, what changed is it just due to the 11 build as per article
Its even very slow to access through credentials
Thanks @Ala Almaet have you seen this before?
@Bill Fitzgerald yes this is a known issue that customers have experienced with the fix to implement the work around provided in this article https://help.mobileiron.com/s/article-detail-page?Id=kA13n000000PTxICAW It also mentions that this is to be addressed long term in Core 11.3
alright what does MI have for reporting? Any hookup to Ivanti CI
Anyway to make a user input their cost center and dept at core enrollment?
@macbentosh Core or Cloud? DEP or BYOD? IF the Cost Center is part of their AD Attributes then you can leverage a Custom Attribute to report based on const center
May I suggest IronWorks - now for Cloud (as well as on-prem Core)?
#Android12 Beta 2 failed to activate with Mobileiron Android Enterprise ! Keep circling inside Mobile@Work to get th updates for more than 20-30 minutes... How about your situation?
Quick one guys, for a MDM cert renewal, customer gets zero bytes CSR see it in MI University and a reboot of Core is mentioned, anyone see this before, what internet access is required for a MDM cert renewal?
*Thread Reply:* A previous KB said to try 10 times
*Thread Reply:* Need to make sure access to Apple servers I believe
*Thread Reply:* The CSR is created on the MobileIron Cloud infra (gateway) There was some maintenance yesterday (SRE-158305). It should be up and running fine now.
*Thread Reply:* Thanks it looks like internal issues, shutdown of all their internet services\firewall change freeze (sorry for delay in getting back on this, i appreciate the help) 🙂
I know this has been discussed here but I can’t find it anymore. We want to enroll Android 11 WPCOD devices with Knox Mobile Enrollment with MobileIron Core. That doesn’t work anymore. There was a special setting within the KME json, right? By any chance someone can drop that to me?
*Thread Reply:* You mean:
{"workProfileEnabled":true,"quickstart":true} ?
*Thread Reply:* Yes I believe thats it! Thank you
Anyone here have luck getting the zScaler Proxy Client to work with MobileIron Access? In our testing on macOS the traffic to auth is not routing via MI Access
its an interesting pickle given ones a http proxy steering agent and one is a device wide vpn
@Kiran Patel How do you have Access positioned? As the entry point for Auth or is it being del-auth’d from the primary IdP? So when you attempt to access an SP.. is the traffic that should be bound for Access just being null routed or not initiating at all?
*Thread Reply:* zScaler's IDP for SSO is Okta. Okta is DelIDP to MI Access
*Thread Reply:* I get the okta login page, it hits mi access and MI Access sees it as an untrusted device
*Thread Reply:* Interesting. So I wonder if something isn’t handing-off (user agent) from zScaler to Okta
*Thread Reply:* but you said it does redirect to Access from Okta
*Thread Reply:* Okay, so actually the chain there checks-out
*Thread Reply:* It’s just when the MacOS device gets dropped-off at Access that its failing to serve-up its trust credentials
*Thread Reply:* @Kiran Patel and before zScaler, Access was seeing the same MacOS device as trusted (Tunnel/VPN/Cert) and the SSO cycle would complete?
*Thread Reply:* yup exactlly, I don't think the macOS packet tunnel is able to load due to the zscaler steering agent
*Thread Reply:* its just the zscaler app itself I can't get to SSO
Anyone else having iOS device check-in issues with MobileIron Core? Device will only check-in after a reboot of the device. APNS service is ok. Telnet to the APNS gateway also works. Within the M@W logs i found: Error: Domain=MIAuthErrorDomain Code=401 „refresh token is not valid“ Related? Core 11.2 M@W is up to date.
*Thread Reply:* What iOS version are the affected devices? There was a known check-in issue which was fixed in iOS 14.6.
Issue: iOS 14.x was found to stop processing MDM commands once a device receives a ManagedMediaList command.
Core check-ins include the ManagedMediaList command, even if you don’t use Managed books.
We found that affected devices were fixed by a reboot. This was confirmed by Apple support.
*Thread Reply:* Thanks for the info. The device has version 14.6
Anyone able to get macOS configured with Tunnel (packet tunnel) and " Extensible Single Sign-On Kerberos"
*Thread Reply:* I keep getting cert not found even though its on the device and I can chose it from identities
we're configuring first time kiosk mode in our enterprise environment with MobileIron. Our users are worried with the new way of working because the icons of the dashboard are very very small.
Probably is possible to configure from MobileIron Core console but we haven't achieved yet where is the place to change this feature.
Can anybody help me please? Thanks in advanced.
MobileIron Access (As A Service) question - if we enable MobileIron Access within the VPN config for iOS devices and add this VPN to the Microsoft Teams app, all the Teams traffic will be routed through Access, not only the authentication, right? We are not tunneling the traffic through Sentry. Our users complain that video calls will get cut off and have poor quality.
*Thread Reply:* Curious what the real world implications are here - we're juggling something similar and I can't imagine a live chat / video / conference call app is going to be a good experience if it's forced to VPN everything. Anxiously awaiting followup haha
*Thread Reply:* Totally with you on this. I am sure @Raul can help us out with this one! 😜
*Thread Reply:* IIRC you can selectively choose what is included in the tunnel. It should just be anything that matches your auth service URLs, etc. Everything else can be left alone.
*Thread Reply:* Gotcha. And for the case we just want to have the Access authentication use the VPN, how would the iOS VPN config has to look like - does anyone have an example or a link to a document how this should loom like?
*Thread Reply:* All traffic will routed through Access. Only authentication will be sent to Access. Due to how Tunnel works with the iOS per app VPN it will cause issues with the calling and video though. You have 2 options. 1. Don't apply a per app vpn to Team and instead distribute MS Authenticator and tunnel that app. 2. Configure the On Demand Tunnel config which is an always on VPN
*Thread Reply:* But If I don’t apply the VPN to the Teams app Access will detect Teams as an untrusted app.
*Thread Reply:* The authentication traffic only needs to go through Access. You can get that by setting up an on-demand vpn which connects automatically when the authentication URL (your adfs for example) is being called.
*Thread Reply:* Do you have an example config how this should look like?
*Thread Reply:* @Clark would you be able to confirm what Mark said here? Will that solve for this, without the degradation of voice and video?
*Thread Reply:* Within the on-demand tunnel config we need packet-tunnel instead of app-proxy (provider type) right? Can that coexist with another per-app vpn config for tunnel, because we also tunnel other apps via sentry.
*Thread Reply:* I am not really following Clarks option 1 with the MS authenticator app. The user opens the Teams app, which should go through the Tunnel in order for Access to allow the app. How would MS authenticator help here?
*Thread Reply:* Here is the steps for option 2: https://forums.ivanti.com/s/article/Securing-Skype-for-Business-and-Teams-apps-with-MobileIron-Access
*Thread Reply:* For option 1, if MS Authenticator is present on a device and you need to authenticate due to a expired authentication token, Teams will reach out to MS Authentication to authenticate on its behalf and then MS Authenticator will give the token to Teams. Since Authenticator does all the work, Teams does not need a VPN so there is no degradation of service for call and video. Also make sure that Access FQDN is listed in the Safari domains section of the VPN as MS Authenticator requires it.
*Thread Reply:* Thank you @Clark 👍🙌 And the Access FQDN would be like: access-eu1.mobileiron.com or do I need the tenant GUID in the FQDN?
*Thread Reply:* How would I apply the same concept to Android Enterprise devices since the VPN config is not used there? Add routes within the Tunnel app configuration? Enable Split Tunnel within the Access portal? As far as I know If I configure a Sentry within the Tunnel configuration and no routes, authentication will be send to Access and everything else to Sentry.
*Thread Reply:* Split Tunnel in Access is for iOS only. First question, do you have a need to route any traffic through a Sentry on Android or did you want to use Access only?
*Thread Reply:* Ah ok. Yes, we have a couple of internal web services that we use via Sentry. And know we want to add O365 services which we need to secure via Access.
*Thread Reply:* this is assuming that the internal network is using the 10 range. Update to suit
*Thread Reply:* Great thanks. And put the MS Teams app into the disallowedapplist, right? Just out of curiosity, you placed com.mobileiron etc in the disallowedapplist.
*Thread Reply:* I would leave Teams out of the disallowed list otherwise during authentication you will be marked as untrusted. Using the split tunnel rules you will only tunnel Teams during authentication to Access. Maybe also the IDP if on premise like ADFS as well.
*Thread Reply:* What is the question regarding com.mobileiron?
*Thread Reply:* in case you are interested this is the full list I generally start with as a disallowed list when on Core: com.mobileiron;com.mobileiron.client.android.pim;com.mobileiron.tunnel.android.release;com.android.vending
*Thread Reply:* For Cloud I use: com.mobileiron.anyware.android;com.mobileiron.client.android.pim;com.mobileiron.tunnel.android.release;com.android.vending
*Thread Reply:* All credit for these lists goes to @Raul
*Thread Reply:* That solved all my questions, thank you 🙏
MobileIron Access & Citrix ADC (Netscaler) as IdP - is this supported?
if the federation between Citrix ADC and the SP uses SAML 2.0 standards then likely yes
Is anyone familiar with the status „waiting_send“ on Core for pushing user certificates to the device? The device is not receiving the user certificate.
Sorry for the question but does a test certificate work?, What type of cert authority are you using (local or NDES)?
*Thread Reply:* NDES - yes issue test cert works
*Thread Reply:* Only one user is affected which i weird
*Thread Reply:* Try the user with a different device (the easy check) otherwise its look at the cert logs on the NDES server!
*Thread Reply:* Good point, I‘ll try a new device. Why do you suspect an NDES issue, the cert has been issued and is visible on Core.
*Thread Reply:* Have seen it before with an AD related issue
*Thread Reply:* Ok different device same issue
Is it true that currently Cloud offers more features for Windows 10 management than Core? In that case would you still recommend Core for W10 or is Cloud the better choice
Was in an Ivanti partner session last week where Ivanti Endpoint Manager (No correlation to Microsoft Endpoint ) was promoted for Windows ahead of Ivanti MobileIron Bridge. Will boil down to use case and best fit.
MobileIron Cloud Firewall requirements - my old MobileIron domain bookmark is not working anymore and I am looking for the Firewall sheet for MobileIron Cloud. Can anyone point me to the new Ivanti document for this?
*Thread Reply:* @Mikey2000 https://forums.ivanti.com/s/article/MobileIron-Cloud-Ports-Hosts-and-IP-Addresses
Wifi config on MobileIron Core for cert based authentication - we have only checked TLS in the wifi config, not PEAP, but the wifi controller shows the device wants to use PEAP. Does anyone have an explanation for this? Could this be a problem on the radius?
*Thread Reply:* For use with Apple or Android? I found there to several differences when going this direction, especially depending on what type of RADIUS system you’re interacting with.
*Thread Reply:* Our network guy told me that on the radius he has seen that the devive wants to do PEAP which makes no sense to me because I have not enabled it within the wifi config
*Thread Reply:* Ah, okay interesting @Mikey2000. Let me pull some of my previous configs and get back with you
*Thread Reply:* Great, appreciate it Woody, thank you.
MobileIron Cloud and Windows 10 Management - is there a way to prevent users from using USB drives and whitelist company USB drives OR do we need MTD for this?
*Thread Reply:* Hi, look under Windows Desktop Restrictions
*Thread Reply:* Hi.. yes I did. You can disable USB mass storage but I see no option in the GUI to whitelist company approved USB drives.
MobileIron Cloud - how can I enable 2FA for Cloud Admin login?
*Thread Reply:* Not as we normally know it, under User Settings you can set Admin Auth to password and PIN but it can only deliver PINs to your email account.
*Thread Reply:* Should be enough - thank you
@Bill Fitzgerald has joined the channel
Hi guys quick query on MI , what version of sentry supports Exchange 2016 CU21 (latest CU released in July)
Looking through the documentation, can't seen it mentioned, customer on 9.12.0 sentry and core 11.1.0.0 any way to know for definite?
I see for 9.13.0 it goes as far as CU20 (using original login now ) 🙂
9:13 as of yesterday is the only version with any support on it (a little time on 9:12)
so i have an exchange config I want to put out with a password. When i enter it into the payload it says password incorrect. Enter the same password in iOS with no issues...
Hello, I'm working on MI Cloud, and I kindly ask you is it possible to configure a group of Fully Managed Android devices and a group of WPoCOD devices? I thought I could do this with the Android Enterprise configurations and the use of Spaces but the configurations are only enabled for the Default Space. Am I taking the wrong approach? How do you recommend I do this? Thanks in advance
*Thread Reply:* I can't figure out how to manage two different registrations on MobileIron. With Workspace One I can create sub OGs on which I have full choice of the type of Android Enterprise configuration I want to implement. On MobileIron with Spaces I don't find this possible and even groups don't allow me to do so, from what I've seen. Can anyone give me any hints? Thanks!
*Thread Reply:* Hi, I dont want to cause any confusion but you can use device groups (or even user groups) to differentiate between your config assignment. Is there a specific need you have for Spaces ?
*Thread Reply:* Yes I can use the distribution based on device groups, but my problem is to create the rules for this group. Normally the device is an element that 'appears' on the platform once it has been registered, so I don't know its attributes in advance. I would have liked to configure the distribution of the two profiles (WPoCOD and Fully Managed) based on the user, who is present on the platform or who I can also add manually to a group. So my problem is how do I create two groups of devices that in one case select one type of configuration and in one case another?
*Thread Reply:* what determines which they should be? If its the person using it then a user group tied back to your IDP seems ideal. If its device type and user you can bring an existing User Group into the ruleset for evaluating a device group. Apologies if this isnt what you are looking for.
*Thread Reply:* Many thanks! I came to a similar solution but unfortunately there must be something wrong with the FullyManaged profile configuration, because I can only configure the WPoCOD one. Thanks, at least now I know that the way is correct!
*Thread Reply:* You may need to reach out to Ivanti support about the FullyManaged - your method is sound so they should be able to give it a once over and assist?
*Thread Reply:* I wouldn't want to do something wrong with the Provisioner app and the QR code it generates, because WPoCOD works fine with Android 11 and configuration distribution with the device group created with the method you suggested. While for Android 9 an Android Enterprise profile registration error appears. However, when I try the Device Owner registration, neither Android 11 (device resets while searching for updates) nor Android 9 (same profile error) works.
*Thread Reply:* I'll try some further analysis and possibly write to Ivanti
*Thread Reply:* Sounds intriguing, the Android 11 Device owner reset indicates that it is not getting the AE configuration at all- (reset is the default response in that case)- try adding the serial number of the test device to a device group and add that explicitly to the Android Enterprise lockdown. if it still fails its definitely one for Ivanti
*Thread Reply:* Thanks...I'll try
*Thread Reply:* I cleaned up the environment and redid the tests from scratch and now everything works. Thanks for the support
*Thread Reply:* My pleasure, many times Ive done a revert and retest- sometimes things just don’t work even when they should. Best of luck with the rest of the project.
Azure Partner Compliance with MobileIron Core - after onboarding the device via MS authenticator, within the Azure devices it says MDM = „Intune“. Is the configured compliance partner not shown here?
*Thread Reply:* No, it will say Intune as the MDM even though it’s the Core
I have configured App Protection Policies on Core which seems to work fine - I know there is a option within the Endpoint Manager to see if the App Protection Policy has been applied - I can’t find it. Can anyone point me to the right Azure blade?
*Thread Reply:* I found the check-in count within the app protection policy blade itself - but the count is 0 . Should this work for Core devices?
Anyone using MFA for mobile enrollments into MobileIron on-prem CORE? Looking to enhance our authentication security.
*Thread Reply:* Are you looking for something like SAML + MFA or just a straight MFA via RADIUIS, etc? Your best bet here is going to be SAML --> MFA. Core just doesn’t have support for anything more, unless you locked-down enrollment to trusted networks and enforced use of VPN to get enrolled, etc.
slightly different approach have you considered a switch to PIN based auth (either with or without password)- puts you in total control of registrations?
Hello folks, did someone successfully setup OAuth for iOS through Sentry with Azure Conditional Access ? We follow the setup guide + add login.microsoftonline.net to Safari Tunneled domains but after we login (Azure says that's ok because it pass through Tunnel), we have the message "Cannot verify account information" and we don't de anything in the Sentry logs
Everything seems to work until we add Conditional Acccess to allow only traffic from customer ip
We can see 401 Unauthorized errors in Sentry logs
Will have a play around (we use Partner Device Compliance so sidestep the authentication issue as we do not need to tunnel anything)
I don’t know if you have seen this - we have tested and confirmed with iOS12 which works https://forums.ivanti.com/s/article/iOS-14-6-breaks-oAuth-functionality-as-v2-0-is-embedded-in-the-oAuth-Urls-in-Client-request
I changed the url manually on my 14.7 iPhone for testing
No tunnel specifically needed. Can have Sentry with just ActiveSync and OAuth pass through enabled Confirm OAuth in Sentry logs, look for Authorization: Bearer
We have to use Tunnel for auth on login.microsoftonline.net (Access Control base on network location)
*Thread Reply:* It seems so, I have issues connecting to the portal and enrolling devices….
The MI Cloud Connector - Can you enroll it using a dedicated account inside the tenant? Or does it have to be bound using the Tenant Admin?
I have used a different account from the EMMAdmin account before and it works fine
*Thread Reply:* @Clark Does it need any specific roles assigned?
*Thread Reply:* Think it just needs the System Management but have not tested this. Normally the customer has used another call that had all roles assigned
I am not able to connect Core with Azure for Partner compliance. After entering the tenant id on Core and click connect, the consent prompt opens. If I tick the box and continue, I receive the error „internal server error“. Anyone familiar with this?
I need to configure Outlook (Android Enterprise) for Exchange Online (modern auth) on Core. Can anyone share a valid config?
*Thread Reply:* There is not much you really need to do. This would work:
*Thread Reply:* Great thank you 😅✌️ By any chance you have the same for Samsung Email?
*Thread Reply:* Nope. Normally I do not best to talk clients out of using that app as then you are tied into just Samsung devices. If you do not want to use Outlook for all devices then I would suggest looking at Gmail or Email+ 3 as both of them support modern auth and can be applied to all android devices, not just samsung
*Thread Reply:* Samsung e-mail does support modern auth and appconfig. So the config you need to apply is basically the same.
Looking for a perhaps canned App Report from the API that can tell me which apps have “Install on Device” flagged
*Thread Reply:* Thinking I’ll probably need to go straight to the API
*Thread Reply:* Yup, unless you use a third-party tool, e.g. our IronWorks solution, you’re down to rolling your own with the APIs at the moment.
*Thread Reply:* Sorry, not ideal, I’d be the first to agree.
*Thread Reply:* Agree @Jason - You guys have a free trial? I might be able to sell them on it, since they’re sticking with MI Cloud for the long haul
*Thread Reply:* Yup, certainly. DM me for more info?
If I retire a DEP enrolled device from Core, it will not be wiped like it would be with Android DO enrollments, where there is only wipe possible, right?
*Thread Reply:* Correct. If you retire a DEP enrolled device, it will only remove the MDM profile, managed apps, configs, policies etc.
*Thread Reply:* Thanks for confirming ✌️
For those who are not aware, Ivanti created a new community for customers & partners called “Ivanti Innovators”. On this platform Ivanti insiders (PM and other people) might add some great content to follow.
You can register here: https://innovators.ivanti.com/join/CSSTEMEA
you can earn coins to get some rewards (even Apple Watch!) 😍
I joined-up @NicolasR
MI Email+ configuration/Governance - Azure Device Compliance for iOS and Android : We want to know the How better O365 configuration for Email+ which can be controlled and validated using Microsoft Authenticator App as described in MobileIron Core - Azure Device Compliance for iOS and Android (ivanti.com) In this article its more described about the native email configuration but EMAIL+ is missing ?. Did anyone success with the Email+ App. #ivanti_mobileiron #Email+ #m365 #compliance
Hi Govi, I’m might be wrong but I’m not sure EMail+ can support the azure compliance API for iOS/Android. For me Access can solve this use case but not the aad compliance (whiich is the same license)
Hi Nicolas, thanks for your response. but we don't use Access and i will check with MI internally ! @Tohsheen any suggestion from your side ?.
Anyone on NA2 having issues deleting devices as of recently?
I got the same error. Will report it to the support team
Thanks @Clark! I figured it might be related to the emergency maintenance this weekend.
What are creative ways everyone is ensuring on DEP enrolled devices the MobileIron app gets launched post enrollment? Looking for an option that's the easiest for the user from a UX perspective. What's working, what's not working?
Debating testing: Label to catch devices supervised and no client check in to Single App Mode it and then removing it.
Wallpaper change with instructions
SMS/Push notification, etc
@Kiran Patel so you’re just wanting to make sure MobileIron GO is launched post-deployment (so it activates and the token does not expire). Right?
although we are hybrid and still ok Core. Should be Go soon enough though
Gotcha. Temporarily changing the Background might be your best bet. Everything else they can ignore…
Partner Compliance with MobileIron Core - can we also use a different app for Azure registration or is the MS Authenticator mandatory for the complete workflow?
*Thread Reply:* It's mandatory because it Azure AD registers the device with the correct correlated Azure AD device identifier.
*Thread Reply:* I see. I am not sure if you are familiar with DUO? It has also the possibility to register the device in Azure. But it would not use the right Azure AD ID?
*Thread Reply:* MobileIron is not saying you have to use Authenticator. Microsoft is forcing this. Feel free to open a ticket asking MS for a feature request to use other applications for reporting back data to Azure. Will say that MS would likely be very resistant as they want to tie you into the MS stack as heavily as possible and allowing other apps goes in the opposite direction.
*Thread Reply:* I see. Thanks for the info. 🙌
How can I deploy a configuration to a device group (like all iOS) with MobileIron Cloud? Is that not possible? I can only assign User Groups!
As we may have discussed before you can add a User Group to a Device Group as well
So @Mikey2000 do you have an app that you need to deploy to User Groups AND Device groups? If it is an app that truly needs to go out to specific device platforms (albeit restricted to a certain audience), you’d be best flipping it over to Device Groups and using a Device Group that is trimmed down (based on a User Group, etc).
Can someone outline the steps to enable KCD for CIFS shares on docs@work? I have already configured KCD for activesync and on premise share-point sites.Now i want to extend it to CIFS as well.What are the configuration required on CIFS server & KCD?
@mahiroux - Wow, it’s been a minute since I’ve set that one up. Are you using the same Sentry with KDC setup (EAS/SharePoint) to access the CIFS shares? Going from memory… It’s mostly about creating a new entry in the Sentry config and making sure the KCD service account has been setup for del auth inside the server objects in AD. Oh, and of course opening-up FW ports to allow Sentry —> CIFS share communications. Otherwise, I think that’s it.
perfect Woody, CIFS does KCD natively so no messing about with IIS required
Does anyone know a third party product to set signatures on iPhone mail?
*Thread Reply:* depending on your infrastructure you can achieve this after it leaves the device. For example, we use Exclaimer which applies the signature to all our emails regardless of the device. The device signature is just saved locally whereas the exclaimer applies it in the cloud after it is sent.
*Thread Reply:* Digging that solution @Ajay Patel. Centralize/standardize and be done. What layer does Exclaimer plug-in to?
*Thread Reply:* its done using a send connector, transport rule and receive connector so it can pass the email to their cloud signature solution and then back out to 365 for delivery
*Thread Reply:* but also an SPF record so that your emails are not classed as junk
*Thread Reply:* Ah, that makes sense @Ajay Patel. So it is more of a 3rd party handler instead of an integrated tool.
*Thread Reply:* yes i dont think Microsoft has anything out the box regarding signatures as they tend to be more client side (i.e. controlled from Outlook) whereas 3rd party products allow it to be controlled server side
*Thread Reply:* Update - under device details I can see MDM Lost Mode Enabled is false. I was able to send a lost mode request, but if the device is offline it will not send a new status back to Core, right?
*Thread Reply:* is the device supervised?
*Thread Reply:* when was last device check-in as it relates to you sending the lock command?
*Thread Reply:* Check-in was 2days ago. Sending the lost command was today
*Thread Reply:* Working as expected then? Can't get a command if it has no network or is powered down
*Thread Reply:* which it's likely one of those two things
*Thread Reply:* Thats what I thought. And thats why the request location is not working
*Thread Reply:* Ok thx.. which kind of beats the purpose
*Thread Reply:* that be how the internet works man
*Thread Reply:* But it should remain flagged as lost with Apple, right?
*Thread Reply:* I'm not sure what you mean by with Apple
*Thread Reply:* If the device goes online again, isn't it supposed to be flagged as lost on the Apple servers so no can use it anymore. At least that's what I was told how the lost mode works
*Thread Reply:* I'm not aware of that having anything to do with Apple servers but I could just be ignorant to that functionality. If that device ever re-gains network access, the Lost Mode command you sent should apply pretty quick
We are in the mix of rolling out Apple Business Manager with MobileIron Core. If we factory reset an exiting device and apply a backup which is of course from a non-supervised device, and we apply the backup during the Apple setup wizards, everything should be fine, right?
*Thread Reply:* it is my experience that it works when using a backup that does not contain certificates from MDM or device identifier from Azure. Otherwise it may fail
*Thread Reply:* If that backup originates from the same device, it will inherit supervision status (unsupervised) from that backup.
I believe you need to complete the enrollment and restore the backup afterwards.
*Thread Reply:* Wouldn't that erase the supervision?
*Thread Reply:* Not sure about MI but in MaaS360 we would
*Thread Reply:* You mean you would erase the supervision or it works like that
*Thread Reply:* see https://www.ibm.com/support/pages/dep-ios-backup-and-restore-guide
*Thread Reply:* Nice reference @Eric Bos! Nowadays, there is also Quick Start to take into account -https://support.apple.com/en-us/HT210216 - the device-to-device data transfer piece doesn’t work for ABM enrolled devices, so a iCloud based transfer gets used. Fun addition in iOS 15 is that for new device setup, unlimited iCloud storage can be used for the transfer at no cost (for up to 21 days)
Hi guys, how do you push scripts on MobileIron for Mac OS and Windows 10 devices ?
Windows use Bridge and send PowerShell commands . Note you can only address the user environment. I’ve done a few, if you want to PM me what you want to achieve Ill see if I have an example of it. For Macs its AppleScript and I have not done a lot with that.
Is this true that Core 11.4 will require Client Mutual Auth? That would also mean we have to migrate Apps@Work to a different port.
*Thread Reply:* Uhh what is this now? Do you have a link to any documentation?
*Thread Reply:* No it does not require it. It will show a banner:
*Thread Reply:* If Core is installed or updated to 11.4.0.0 release and mutual authentication has not been enabled, a red reminder banner will display in a ribbon just below the Admin portal masthead. To enable mutual authentication, go to Settings > System Settings > Security > Certificate Authentication > Client Mutual Certificate Authentication page. Once enabled, the banner does not appear again. For more information about mutual authentication, see Mutual authentication between devices and Core in the Managing Certificates and Configuring Certificate Authorities chapter of the Core Device Management Guide for your operating system.
*Thread Reply:* Thanks Mark. Exactly what I meant! 🙏
*Thread Reply:* Yet the first sentence is: Core now requires mutual authentication with managed devices for a more secure connection. 😄
*Thread Reply:* Required by putting up a red banner 😉 It does not enable it and you can choose to ignore it
*Thread Reply:* @Mikey2000 Starting with Core 11.4 Ivanti are providing a banner as a reminder to turn this functionality on, in future releases this will become mandatory to enable.
Anyone else having issues with the current version of OneDrive for iOS? If we push the app via VPP the app crashes. If we install the app directly from the AppStore without VPP the app works.
*Thread Reply:* OneDrive version 12.53.21 is out which has the fix for the app crash issue.
#mi_sentry #Sentry v9.14 -> Support for Azure AD Conditional Access rules , have anyone tried this to control the EXO configuration for Managed/Unmanaged BYOD devices through Azure Conditional access ?. thanks
Does anyone configured multiple EAS accounts to iOS native mail app through sentry.I am sending two exchange progfiles to same device however only the primary one is getting applied and the second config shows pending.Any help will be much appreciated.
Oh wow @mahiroux - I think there was a hack to make this work many moons ago. I’m checking my notes to see if I’ve got anything on it
@Woody Thats wonderful.We are desperately looking for a hack to make this working.
*Thread Reply:* @mahiroux Sorry, just getting back to this. Yesterday was pretty crazy
*Thread Reply:* Any insights into whether the EMMs going down the API route will be abandoning custom DPC?
*Thread Reply:* Nothing explicit but this is implied - AMAPI isn't giving up the DPC they ship with, and only one DO on-device. I expect they'll bring a bit more power to companion apps to accommodate missing features in AMAPI today
*Thread Reply:* Nothing says Mobile/Endpoint Management like MobileIr… er Ivanti
*Thread Reply:* I feel like it’s going to be an AirWatch/WS1 thing… where it’s formally called Workspace ONE UEM but everyone still affectionately refers to it as AW
*Thread Reply:* Because it rolls off the tongue so much easier
*Thread Reply:* It's a far cooler name. It'll be MobileIron whenever I talk about it forever more no matter how Ivanti try to erase it 😛
Is it possible to disable MAC address randomization for Android on MI Core?
*Thread Reply:* @Yth This is coming in a future H1 2022 release.
We need to migrate Core and Sentry to a new datacenter (new IP addresses, FQDN stays the same) Is it wise (or even supported) to migrate the VMs with Veeam Replication? Or fresh installation and restore?
I would build new and restore- that way you have a fixed remediation point in the event of error. Not saying you cannot use Veem just a belt and braces approach. Building a new chassis can also flush out any hidden issues with multiple upgrades (done it more than a few times over the years)
@Mikey2000 you can use the built-in HA tool for Core that will transfer everything from Host A to Host B.
Though what @Steve Hayton was alluding to is completely fine
Recommend as above. A few years back, had a customer use Veeam for migration only to to find network interfaces were down and not resolved with reboots. Dev-shell to reset the interfaces
I prefer a rebuild over HA as 1. you don’t need professional services and 2. more importantly you know exactly where the cut off point of snapshot is so you can define the change window
Thanks guys. Sentry should be easy. Core needs some preparation, but I used to have a task list what is important
Sentrys are a doddle , spin them up with the same name and refresh the config under services after you have changed DNS
Core start to finish (if the firewall rules are set correctly in new datacentre) ive done from bare iso in under 3 hours but its not something to rush
Help@Work for iOS on MI Core - is anyone using it? Is there still an Apple TV and Bonjour required or can we use also Teamviewer like we can on Cloud?
and yes to having used it and having customers who use it
Does MobileIron offer anything Multi-User on Android Enterprise like the WS1 Launcher? I’m not seeing anything besides Lockdown & Kiosk, which mostly indicates a custom Kiosk (launcher?) but no mention of multi-user or sign-in/sign-out functionality.
*Thread Reply:* Sure! Android Kiosk gives you multi-user sign-in/out.
*Thread Reply:* Got it @Almar Diehl - I was checking the configs but they don’t really call it out in there. Just says Kiosk and launcher to present the apps you want present, etc
Anyone else having problems enrolling iOS into MI Cloud? Error message after trying to install the profile: no connection to server Wifi or 3G the same
If we integrate AAD with MI Cloud, users from Azure will be imported into Cloud and therefore users are able to enroll with their Azure credentials right?
*Thread Reply:* yes, here is the guide for doing this: https://forums.ivanti.com/s/article/MobileIron-Cloud-Azure-Active-Directory-User-and-Group-Import-and-Authentication-7382
*Thread Reply:* Great thanks. I used this guide, but the sync is failing (AAD sync unsuccessful)
*Thread Reply:* Every time I have seen it not work was because there was a setting missed during the configuration. Recommend going through the setup with a fine tooth comb.
*Thread Reply:* I have gone over it with my colleagues - everthing was done exactly like described. Maybe a missing license on Azure? Are there any helpful logs?
*Thread Reply:* Never heard of anyone accusing Azure of having helpful logs 😆 In all honestly I am not sure what logs you would need to review on the Azure side. You are not trying to sign into Azure using an account that is federated or requires MFA are you? Confirm the account works by signing into portal.azure.com and is not getting prompted to update a password and ensure you are only using a onmicrosoft.com admin account
*Thread Reply:* Right, no my Azure Global admin that I used to accept the permissions in Cloud is non federated and non MFA and a onmicrosoft.com account.
*Thread Reply:* I guess this could be the issue: „Using Azure AD as the IDP requires a Microsoft Azure AD Premium subscription.“
*Thread Reply:* Found the issue - the documentation is missing one crucial point - granting admin consent in the MobileIron Azure Integration enterprise app!
I am kind of confused with this error message with registration of Android devices on Core. Device has a label with an Android Enterprise work profile config prior to registration , but we still receive this error with some devices. Not all of them. Has there been a change with new Core versions and AE enrollment? Sure this is DA mode, but we have attached an AE config anyway like we always did.
*Thread Reply:* We had the same after upgrading Core to 11.3. Fixed it by applying the label Alle Android Devices to the AE config. All labels we had applied before had a more complex filter that seemed to apply just after enrollment.
*Thread Reply:* This is strange. Gotta try it - thanks Almar
*Thread Reply:* But how would you solve that with different enrollments like COBO and COPE?
Users are unable to copy larger(1mb and above) file from Docs@Work to CIFS network folder.I see http 408 Reason: File copy failed due to socket timeout.Have anyone faced similar issue? Is there a known fix for this issue?
Anyone familiar with this error on a AppTunnel Sentry - looks to me that there is an issue with the CRL:
„UNKNOWN_CRL(The CRL entry was not found in the cache.)“
Is the CRL distribution point reachable by Sentry? Sentry should cache it locally then for the period of CRL lifetime. So also check if CRL is correctly refreshed = not expired
Hello folks, is there any plan to support Nutanix for Core/Sentry?
*Thread Reply:* Hi @Florent N. there are currently no plans to support Nutanix AHV for Core/Sentry. Currently support platforms are VMware and Hyper-V. IF you are running Nutanix as an all-in-one hyper converged platform with VMware ontop then no issues with that as its still VMware
Curious how everyone using Email+ is dealing with TextID of managed contacts since Contact Export is broken (it depends on the removal of unmanaged access to managed files).
HI all, I'm sure you are aware that on-prem versions of MobileIron Core and Sentry are vulnerable to log4j. hotfix available as of this morning
Relavent to that, I think Ivanti’s patch correctly removes the JNDI class instead of just upgrading Log4J to 2.15.0, which was the original mitigation. But other systems in your environment might not have followed the same path: https://nvd.nist.gov/vuln/detail/CVE-2021-45046
Anyone using help@work on Core for iOS? I am not able to connect to the device. Anything special needed on the device besides the QS app and that screen recording is set to Teamviewer? Android works though. Only iOS will not connect.
*Thread Reply:* iOS can be a bit tricky. You need the app installed first. And running
*Thread Reply:* You mean start QS on the device before initiating remote support on Core?
*Thread Reply:* Yes. Then try it. Oddly ios is not friendly to qs
*Thread Reply:* And the user must also activate screen sharing for teamviewer (Notification Center) right?
*Thread Reply:* Yes, it's all about permissions
Hi,couple of users are using Xiaomi (Mode Poco X3 GT) and work apps shows paused when users try to open any attachments from Email+.How to fix this issue?
*Thread Reply:* You'll need to raise this with mobileiron. Capture a bug report after replicating it and they can escalate to the OEM.
Believe I just saw some reports of an issue and engineering is looking into it.
It seems to be back, from a login/SSO perspective
Am I wrong with this? With Android Enterprise there is no automatic triggering of MobileIron Tunnel like there is with iOS, only Always-On.
*Thread Reply:* Hi , you can set allowed list to have the “per app” experience if that is what you are referring to? or is it related to restricted system settings as per here: https://support.google.com/work/android/answer/9213914?hl=en
*Thread Reply:* The question was rather: how can MobileIron Tunnel on Android Enterprise devices be triggered? On iOS you can trigger Tunnel when opening an app. As far as I know this is not possible with Android.
*Thread Reply:* For instance: opening Chrome will not trigger MobileIron Tunnel even Chrome is in the allowed list within Tunnel
*Thread Reply:* it will be an always running VPN. We are limited to the limitation of the OS.
*Thread Reply:* ^ but you can still define per-app VPN split tunnelling and the usage of always on VPN isn't a colossal battery drain if it's not routing traffic
SCEP on Core - Error issuing a test certificate - could not obtain certificate from CA - which log file on Core should contain more details? Certactivity.log?
*Thread Reply:* @Mikey2000 Enable Trace logging and look at the MIFS file
I have a new user and he brought a new Samsung a 22 device.He is entering his email ID to register his device to MI core work profile mode using M@work app.Bit application is closing automatically after the user enter his email ID and tape register(screen shows we are trying to find you). When the user installed test DPC app,everything went smoothly and work profile was successfully created.Any assistance to troubleshoot this issue is highly appreciated.
*Thread Reply:* @mahiroux Did you register your domain with MobileIron to find your core? As alternative you could add the URL manually then authenticate on Core to enroll. Make sure that the Android Enterprise Workprofile Config gets applied on the device.
*Thread Reply:* Opened a case with Ivanti and this issue is currently noticed in following models as well.Ivanti has opened a vendor ticket with Samsung.
SM- A105F
• SM-A110F • SM-A520F • SM-A720F
*Thread Reply:* This issue has been identified as a bug and the fix is expected in m@w client 11.6
*Thread Reply:* Did you try downloading the previous version of M@W using this URL?
https://support.mobileiron.com/android/mobileiron-MIClient-11.4.0.1.apk
*Thread Reply:* Tried 11.4 and 11.3 but the result was same.Later Ivanti confirmed that issue affects previous versions as well.
*Thread Reply:* Issue is fixed in M@W 11.5.1 which in currently in Beta.
Has anyone configured Outlook with Kerberos Constrained Delegation on Core with Exchange On-Premise?
@Stephan Giese has joined the channel
*Thread Reply:* But there is no support for iOS 15
MobileIron Access only for one Relying Party Trust - does anyone know how this has to be done on the ADFS? I am not an expert on ADFS, but I am thinking: Set-AdfsRelyingPartyWebTheme -TargetRelyingPartyName "Office 365" -SourceWebThemeName "MobileIron Access"
We are planning to migrate from on prem exchange to exchange online and we have already installed a new sentry to test the exchange online.We are currently using KCD for active-sync,how do we deliver password-less email setup for users once we move to exchange online?We are not using MI access and we are using native mail(iOS) and Email+(Android AE)
*Thread Reply:* If you are pushing EOL traffic through the sentry then short answer is you can’t. Device Authn to Sentry will be cert based and then from Sentry to EOL will be just a passthru
For passwordless you will need to setup CBA for EOL and have traffic direct to EOL rather than the sentry
@Martin Any drawbacks if we go with CBA+ Oauth approach? iOS native mail is supported?
*Thread Reply:* iOS native email supports CBA, you no longer have the Sentry server providing compliance checking, instead use Partner Device Compliance to get your MI Compliance status into Endpoint Manager to get the required control should a device fall out of compliance
*Thread Reply:* Thanks Steve and Martin for the valuable comments.Will this set up work if O365 have MFA enabled?
*Thread Reply:* yes you have to install authenticator on the phone
*Thread Reply:* Mandatory for partner compliance (ie authenticator on that device not another phone you happen to have)
*Thread Reply:* Thank you @Steve Hayton, CBA+Oauth with partner compliance works android AE Email+?
*Thread Reply:* We use ADFS.Can we still use CBA+Auth or do we require access for email sync to work?
Can anyone tell me how to change the default gateway on the Sentry via CLI?
ip route 0.0.0.0 0.0.0.0 [ip-address of gateway]
We are planning to migrate from Microsft On prem to cloud hybrid infrastructure which include exchange,sharepoint,powerbi etc.We would like to keep Mobileiron as MDM but looking the possibility of pushing microsoft app such as outlook or Onedrive with intune MAM policy.Appreciate any suggestions or recommendations in this regard.
*Thread Reply:* @mahiroux this KB article should assist with intune MAM policies through MI https://forums.ivanti.com/s/article/MobileIron-Core-Office-365-Mobile-App-Protection-Graph-API-7265
*Thread Reply:* Why do we need graph API,cant we push the MAM policy directly from intune?
*Thread Reply:* Why manage them from 2 consoles when you can create and deploy them from MI Core/Cloud to O365 apps and also view the status/reporting for devices from the one console?
*Thread Reply:* Is there any limitations if we manage Microsoft apps using graph API over directly using Intune MAM policies.Do we have all the intune MaM policies available with graph API? Sorry for being naive as i don't have much knowledge intune and how it works.
*Thread Reply:* You get all the Intune MAM policies available to you when you setup MS O365 Graph API
*Thread Reply:* You do it with Graph API
In the Azure app registration API Permission page(For Graph API),i see warning banner for Mobileiron which states that ‘This application is using Azure AD graph API,which is on deprecation path….’ Any action required from ourside or this is required to be addressed by Mobileiron?
Anyone using Temporay Access Pass for enrollment? The admin has to create the TAP. Is there an automatic process that the generated TAP will be submitted to the users or is this a manual process by the admin?
@Christian Andrésen has joined the channel
Hi, need help : Ms-Outlook App for iOS can get the full list of Appconfig to creat .Plist for allowing/restrictions of certain features? Via MobileIron core.
Think this is what you are looking for https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outloo[…]ook-for-ios-and-android-configuration-with-microsoft-intune
Is there a way to access System Manager of Sentry if all known accounts are not working? Also the enable secret is not working. Tried to add a new user via VMware console. I am thinking new installation of Sentry.
if you have spent that much time trying to get in Id build a new Sentry on a temp IP address and configure the system manager fully, shut down the old one via Vmware then put the proper IP on the new one. Save and reboot ot then repush profile from the console. Minimal downtime
*Thread Reply:* You a right. Looks like we have the same issue with Core MICS. We are able to login with the local admin account within the Admin Portal, but no the System Manager. This is weird.
*Thread Reply:* the passwords are not synced past the first setup, Admin and System thereafter become different accounts so the password changes are independent
*Thread Reply:* do you have the enable password for Core?
*Thread Reply:* We have it.. but its not working. Nobody changed it.
*Thread Reply:* We used the account which was setup during installation
*Thread Reply:* raise a support case on the Core, you need to get back into it. had you applied all the log4j patches?
*Thread Reply:* I guess not on all systems 😀
*Thread Reply:* ok, when you get back into it (Core) do a chassis swap ASAP
*Thread Reply:* get yourself back into the Core then tag me here and we can discuss in direct chat
If we have enabled app auto update for VPP apps on MobileIron Core, is there a schedule how this app updates are recognized by the devices?
*Thread Reply:* I always thought it was 24h after app update is available in public app store
Partner Compliane problem on iOS devices. Azure Client Status Code on Core says „Interaction Required“, but within M@W the integration of M365 Access has a ✅. The compliance status in Azure is N/A. The user has a Intune license. Does anyone know whats missing?
Partner Compliance with Azure - is there a way to trigger an Azure Monitoring Alert if the partner status has „connection lost“?
*Thread Reply:* nothing from within MI. You may want to check with MS to see if they have any alerting
Where did the button for iOS software updates go in Core 11.5? It is not in the actions menu anymore.
*Thread Reply:* why in the world was this removed?
"Clicking Save will re-push profiles to all matching devices even if no change to the configuration was made." I can't remember what the actual end-user interaction is here for the life of me and can't easily test this - does this cause the user to have to re-install the profile or is it just a notification that a new profile has been installed?
the profiles will push down to the device but if there is an impact depends on the config. If it is exchange a user may need to reauthenticate, if it is a privacy policy they will need to click OK acknowledging the change, or if the change is something that requires a user interaction such as changing the password length from 6 to 8. Beyond that there should not be a notification or impact to users
What is the general consensus regarding the MobileIron Core to Cloud Migration Tool? Is it normally reliable? Having some weird results moving Android devices over and couldn't tell if that's just to be expected or if something is configured incorrectly.
If only they had left the product name alone… #MICore
Help@Work via Core (EPMwhocares).. Is it possible that 2 admins connect to the same device via Core actions menu?
*Thread Reply:* Does Teamview allow to separate connections to the same device? If Teamviewer allows it, I would see no issues from the Core side
*Thread Reply:* Good question. Not sure but I believe I have seen that. Gotta test this
*Thread Reply:* Update: You can only connect once to a device. A second session is not allowed - TeamViewer message: already connected..
Hey guys. What have people been seeing with this change from AAD user source to AAD User provisioning process
*Thread Reply:* @Peuge did MI build an app in AAD that is handling user lifecycle (vs just providing a feed of users/groups)?
Have you assigned the enterprise app to a user or group to sync down to Cloud? Unlike the old method, it does not dump your entire AAD into Cloud. You have to pick what to sync. Nested groups are not supported either. That is a MS limitation, not a MI one.
*Thread Reply:* So we assigned the app to all users and mI cloud is absolutely not pulling in all users
*Thread Reply:* seeing 82 I think in AAD, 78 in MI Cloud, users populated in the Users tab look okay, but then there is another discrepancy with MI Cloud's All Users group which only contains 57 users and is requiring me to one-by-one add more users so they can actually enroll and not get hit with invalid creds
*Thread Reply:* Are any of the users in nested groups as MS does not support that. Also, check as I believe there will be an error log on Azure it refuses to sync users. Could give you a clue as to why it is not syncing everyone.
*Thread Reply:* oooh wait so even if the ent app is assigned globally to all users, if a particular user resides in a nested group, they won't get auto-imported?
*Thread Reply:* That could be what I'm seeing
Has anyone experienced slowness in MICloud and it being a bit glitchy
having issues with AD auth over DEP Enrollment - manual enrollments AD auth works fine - thoughts?
"You're credentials are either invalid or wrong"
@Peuge @Justin Butts it was still slow today. Same for you guys?
*Thread Reply:* is the re-brand causing the outage I am having?
*Thread Reply:* No, that rebranding has been in place for a few weeks now depending on the location of your tenant. Are you on na2 by chance? I am seeing some odd issues in my lab on na2. I would suggest opening a support case on any outage you are seeing
*Thread Reply:* Yea it was tongue in cheek haha. But yes I am experiencing issues on na2
*Thread Reply:* @Clark Support says its an na2 outage. As of 5 minutes ago no eta and no idea what caused it
*Thread Reply:* Per the status page a fix has been put in place
First I've seen this from any MDM - anyone have any thoughts?
user trying to update a VPP'd app in app store web clip
Switch to device based tokens. Looks like it is set to user based right now
*Thread Reply:* Indeed, this is the notification you get when the VPP licenses are set to user based.
*Thread Reply:* weird - could have sworn they were all device based - thanks!
Has anyone got experience with load balancing AWS Sentries? I have questions in particular around: • What relationship the hostname has given that the AWS install guides recommends “you use the Public DNS name provided by AWS”. This hostname goes against the Sentry records in Cloud, however the hostname isn’t static. I’m ultimately not wanting to set static public IPs for my Sentries so can the hostname just be set to anything random as an identifier? • How to perform the health checks using for example an AWS NLB. Given I’ll be using certificates it seems like Sentry is just outright denying any HTTPS/TCP requests as all my health checks have been failing. The doco vaguely suggests doing a TCP_ALL / PING health check but I don’t know if that’s a limitation within AWS NLBs. Given Ivanti support AWS based Sentries I’m left with a lot of questions around how to configure the load balancing of them.
Any way to setup access to a 2nd calendar (Exchange on premise) for Samsung A13 using Android 12.0 (they are using email version 3.0 from Mobileiron University not seeing it as possible)
*Thread Reply:* It is possible.You may refer the Email+ Documentation.
Meant to say they are using Core with no Sentry for above query
Is it possible to use Docs@work alone with Intune as MDM? Is there such licensing model available?
*Thread Reply:* That’s a great question. Technically you could deploy it as a managed app. If perhaps the licensing/activation can be pushed as part of the payload, I don’t see why not. No idea what MI/Ivanti would say though.
*Thread Reply:* There is no licensing model to cover this type of setup. Docs@Work is designed as part of AppConnect and uses Mobile@Work for the authorisation
*Thread Reply:* @Ala Almaet darn. You'd think they’d explore that. I know EBF and Hypergate sell file clients that are UEM agnostic.
*Thread Reply:* Out of curiosity, what's the use case for Docs@Work in an Intune environment?
*Thread Reply:* Our use case is to access On premise CIFS network share.
*Thread Reply:* I am in touch with EBF sales team and probably arrange a POC soon.
Anyone here using Hypergate for the same scenario?
*Thread Reply:* @mahiroux While I don’t personally know anyone using Hypergate in the field, I’ve set it up a few times. It’s pretty much straight to the point
Having an issue with Zebra RC93 (work managed enrollmet) - 2 private apps will not get installed on some of these devices. On one zebra device (also RC93) the installation works and also on Samsung smartphones there is no issue. We have no clue why the apps are not pushed on these devices. Any ideas? Other apps like Google Chrome have no issues - they get pushed.
*Thread Reply:* My guess would be a hardware requirement that the device doesnt meet. MC93s can be optionally equipped with a camera so my guess would be the app requires camera access and the MC93s that aren’t installing don’t have cameras
*Thread Reply:* You are right - the device where it worked has a camera, so very good hint. MC93C is the one where it works - C for Camera? So ask the developer about the hardware requirements? Is there a log where I might find details about that? I have pulled ADB logs and bug report but nothing useful.
*Thread Reply:* I think the developer would have to resolve this somehow yeah. I want to say its Google Play that is detecting that the camera is requested somewhere in the app manifest and refusing to install it on devices without cameras in order to avoid frustrating/ confusing the end user. Its a consumer grade protection feature that can get in the way in situations like this. I think you may be able to install the APK directly on the devices without involving Google Play if the developer can provide you with a copy. That might be the easiest route unless the app truly needs the camera for a given workflow.
*Thread Reply:* Great, thanks Matt. 🙏 Maybe there is a way to find hints about the hardware requirements in the app permissions within the iFrame?
*Thread Reply:* Just in case if the developer is not willing to invest time 😃
*Thread Reply:* You could potentially download the APK from an APK mirror and then unzip it to extract the manifest to inspect it yourself
*Thread Reply:* but if it is a private app published just to your org id it likely won’t be in an apk mirror
*Thread Reply:* I’ve used this before: https://www.sisik.eu/apk-tool
*Thread Reply:* I have checked the manifest:
<uses-feature android:name=android.hardware.nfc android:required=false
and
<uses-permission android:name=android.permission.CAMERA
so if the device has no camera, will the permission tag prohibit the installation? Or rather the android.hardware.nfc if the device has no NFC? Even though its not required.
Our developer will provide a new APK on Monday.
*Thread Reply:* I think without the camera it will potentially install if sideloaded, but the app itself may become unstable or crash depending on if the developer has designed it to gracefully handle a lack of camera.
*Thread Reply:* Depending on what the app does it may have a workflow that requires a camera at some point and without that the app may crash or create a dead end for the end user.
*Thread Reply:* You hit the nail right on its head - developer changed the hardware requirements. Now it works. Thanks Matt, learned something again 👍
Any idea why this happens on Core locating a device? I am thinking either a browser issue or a FW block - if I try this from an external workstation it works.
*Thread Reply:* Core is trying to load resources from Mapquest. I'd put money on a proxy config or firewall rule blocking it.
Does the blacklist key value pair within Web@Work work both for Android and iOS?
Can someone provide me a visual of the MI Cloud option to exclude local users from SSO/SAML once it is configured?
Wouldn’t you know, mid-way through maintenance and NA2 goes south. 😑 https://status.ivanticloud.com/incidents/bp4rj7z9b04b
NA2 is acting up again. https://status.ivanticloud.com/incidents/kp6lpt63mcnd
We've had so many outages lately with NA2 its crazy right @John Zmyslowski lol
We have a customer which still has android devices in device admin mode and native samsung email configured via an exchange profile on o365. With o365 disabling basic authentication does anyone have any ideas if it is possible to push an oauth capable exchange profile for android or any other scalable solution?
*Thread Reply:* Without switching to AE all other options would require users to set up the email themselves. Cant push an Exchange config to samsung email app that uses modern auth when doing DA
*Thread Reply:* Hi Clark, That's confirming our same conclusion. Thanks for the reply
*Thread Reply:* I think you can enable the modern auth with samsung native email app. Samsung native email app does support moden auth now. You need to make or add some custom config for this. Check on samsung website but not sure about DA mode.
Is there a way to allow Safari for MobileIron Access?Even tough Safari is using the Tunnel it shows up on Access as unmanaged application.
*Thread Reply:* @Mikey2000 we have this working. What does your VPN profile look like under Safari domains?
Hello all. I'm trying to determine if its possible to deploy a Windows Provisioning Package wrapped in a PowerShell script to Windows 10/11 devices using MobileIron Cloud. Any help is appreciated.
*Thread Reply:* Maybe creating a msi file which install the ppkg using PowerShell https://learn.microsoft.com/en-us/powershell/module/provisioning/install-provisioningpackage?view=windowsserver2022-ps
MI Core - BYOD Android with Work Profile - Retire command dissappears the device from the console and then the device just continues chugging along, fully enrolled
*Thread Reply:* Device remained fully managed with full access until I forced a manual check in within MobileIron App > Settings > Force Check in....the check in button from the MI App splash page does absolutely nothing
*Thread Reply:* I can count on zero hands how many people are going to perform that action post retire
*Thread Reply:* I have seen it take some time and a manual check-in does force it. Check the setting in the sync policy to confirm the device does check-in regularly
@Ricardo Simiao has joined the channel
What is going on at Ivanti. Customers are Jumping ship from MobileIron to InTune. and Its painful to watch.
*Thread Reply:* A lot of people are jumping ship to Intune from my perspective
*Thread Reply:* Intune is very competitively priced and wrapped up into an o365 subscription for ease of billing. I think it’s also part of the whole “no one ever got fired for bringing in IBM/Microsoft” mentality at the CIO level.
*Thread Reply:* In my experience with Intune however it is incredibly poor at handling the use case I care about (fully managed Android devices) and customers are not realizing that until its too late.
*Thread Reply:* @Matt Dermody I completely agree with you. This situation is so cringey
*Thread Reply:* Also have to remember… every decade or so senior level management rotates out. New blood seeking “new” ways to show how they’re helping the company. The MS value proposition/price is very attractive to people in those positions. Then in 10 years, it’ll be time for the waves to go back out b/c Intune isn’t meeting their needs.
*Thread Reply:* On March 31, 2024, Ivanti Endpoint Manager (EPM) will end support for managing iOS and Android devices. EPM will continue supporting Windows, macOS and Linux.
This notification applies to customers who purchased EPM prior to January 1, 2022. Customers who purchased EPM on or after January 1, 2022 are not entitled to iOS and Android management.
*Thread Reply:* customers will need to use Ivanti EPMM instead (new name for Core) or go Cloud based with Ivanti Neuron for MDM (rebranded name for MI Cloud)
How would one create an advanced search if a device has a. App installed?
We are in transition from MobileIron to Intune. We are not doing a factory reset on enrolled devices, only retire and re-enrollment via Company portal app. We want to keep a couple of apps which have been deployed via MobileIron and also deploy the Company portal via MobileIron and leave it on the device after retirement from MobileIron. The option „Remove app when removed from MDM“ within the app settings is disabledX My question: If apps have been deployed via VPP, the license will be revoked. Will that also be an issue with keeping the app on the devive? My guess is yes.
*Thread Reply:* From memory there is a 30 day grace period, so if the new UEM replaces the VPP license key within the grace period, you should be good.
Anyone in the MI Cloud/Ivanti Neurons world seen “Could not retrieve license for the app with iTunes Store ID xxx” in the past couple of days?
Update: this was resolved by wiping and re-enrolling the device. I will say that the customer had failed to update their ABM T&CS and I thought that might be having some bearing on it, but this was the sole device that exhibited this symptom. Couldn’t reproduce on any others.
How would you design the transition from KCD with Exchange On-Prem to Exchange Online? What are the options for SSO (Core)?
*Thread Reply:* Cert based auth or Access are your two options I can think of.
*Thread Reply:* Is there a good guide how to configure CBA with MobileIron and Exchange Online?
*Thread Reply:* you would need to provide more details on the environment. What is the IDP?
*Thread Reply:* We have PHS, so no federated domain with ADFS
*Thread Reply:* if you are using Azure, which I think you are saying (correct me if I am mistaken), then see this article: https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-certificate-based-authentication
*Thread Reply:* we have successfuly tested in our lab CBA with exchange online in combination with conditional access rules - if no certificate is presented the users get prompted for 2FA. We have also been using CBA for years with Exchange online and it works well. Very easy to configure via powershell. PM me if you want further info
We are in the transition from MobileIron to Intune. Within the MobileIron Core Admin Portal we have NOT set the option „Remove app when MDM profile is removed“ for MS Authenticator. But If we retire a device, MS Authenticator will still get removed - even though the app is managed! Any ideas?
@Mikey2000 that’s interesting. So the flag is not set to remove on MS Authenticator, but it is removing itself when a retire is initiated?
*Thread Reply:* Exactly! But not on every device.
*Thread Reply:* But we have not found a pattern whats wrong.
*Thread Reply:* was it enabled at one point to be removed and someone updated it so it was no longer set to be removed?
*Thread Reply:* Exactly! We have updated it a couple of weeks ago. Originally it was always set to remove after retire.
*Thread Reply:* I was told my support a while back that this setting will only get updated on an app already installed after there has been an update pushed to the app by the vendor. FRom Core I would recommend pushing updates to those that are available for to help with not removing the app. Last update was on Dec 14, 2022 so there is a good chance this will catch a lot of people and help with not removing the app
*Thread Reply:* Holy sh**, that I some great input. Thanks a lot Clark. That could explain it. You mean push updates for the Authenticator app? How can I push updates l, do you mean the automatic app update checkbox within the app settings?
*Thread Reply:* Really shocking how most Core customers are not aware of this feature but check the box next to Authenticator > Actions > Installation Request and then configure the pop up like the below and click Apply
*Thread Reply:* So @Clark if you change the flag and you push an update… it effectively updates the state of the flag on the device without re-installing the app?
*Thread Reply:* Does that carry-over into MI Cloud as well?
*Thread Reply:* as devices check in they will receive the prompt to update unless they are DEP and it should then be silent
*Thread Reply:* @Woody app is already managed, this is just telling the app to update to the latest version and when doing so changes you did for the app in Core like not uninstalling should then take affect
*Thread Reply:* Right, forgot about this one. :facepalm::skintone_2: Thanks
*Thread Reply:* Okay. Just to be clear though, if an app is set not to uninstall on unenrollment and you change that preference… is there a way to push the updated setting to the already-installed app?
*Thread Reply:* as far as I am aware of no, unless there is an update to the app version or the user uninstalls and reinstalls
*Thread Reply:* @Clark oh, that’s nice. So if the vendor releases an updated version of the app (say via App Store), the updated managed payload (with preference to uninstall) would then be applied? Could be useful down the road.
@David Arvidsson has joined the channel
How do you guys handle enrollment via KME for MobileIron Core in terms of labels? I want to enroll COBO and WPoCOD. If a filter label can be used, how would the query look like? Do I still need the JSON within the KME profile like described in the Ivanti document for KME?
Hey,
No, you don’t need to add any DPC extras to KME.
WP-C or DO mode deployment is determined by the config you send from Core
*Thread Reply:* Right. But normally you have one AE enrollment config for WPoCOD and a separate one for COBO. Which filter property would you use? Because both are DO / Work Managed.
*Thread Reply:* What’s the criteria you are looking for to distinct when user provision a device in DO mode and when in COPE/WP-C?
*Thread Reply:* I don’t know the exact wording, but we used the Registration Status (like work managed) within the filter label. Its Work Managed and Work Managed with Profile or something like that. Finally we ended up using LDAP groups
*Thread Reply:* Yes, but I’m asking what would be the expected behavior.
What is the expected behavior .
Are you looking for defining from ZT/KME the expected AE deployment instead of from UEM side?
*Thread Reply:* Yes we enroll via KME. So the profiles within KME should match the correct AE config on Core
*Thread Reply:* Because M@W supports passing keys so you should be able to apply a custom attribute to devices provisioned with a given ZT or KME or QR code
*Thread Reply:* That is exactly what I am looking for
*Thread Reply:* If you check MI Provisioner you will see fields at the bottom when you select M@W
There was a phase I of WP-C support when a parameter was required but you don’t need it anymore
Has anyone active Windows enrollments with Core? Trying to set up a Wifi via CBA. SCEP pushes the certificate, is visible on the Windows client. Same goes for the WiFi profile. But If I try to connect it asks for a client certificate - which is there. Any ideas what I might miss? Are fresh Windows enrollments still supported with Core?
They are supported and if you are pushing the cert to the User store, that should work
We have connected GraphAPI with Core so we can use App Protection Policies with Microsoft apps on MobileIron devices. Problem is, the check-in count of the App Protection Policy stays 0, the policy will not apply. Policy is applied to the app. The user has an Intune license and is member of the group which the policy has been applied. Did I miss anything else? What could be the issue - logs?
Automatic app updates on iOS - some devices install automatic app updates but others won’t. All devices have the same label and have an working check-in. Are there any device settings that might prevent the automatic app update?
May be auto update is disabled on the device end..
Is it me, or is MI Clouds reporting capabilities lacking compared to other MDMs? Was trying to make a report of Employee Owned devices where the users are in a specific AD group, with a specific app installed.
Only way I have been able to pull that info is to download two separate reports and compare the data in Excel to get the info I need.
*Thread Reply:* Did you try with custom search?
*Thread Reply:* Is that just doing an advanced search under Devices?
*Thread Reply:* I wanted to mean advanced sorry
*Thread Reply:* IMHO… while MI Cloud is easy to use and is for the most part stable/available… I don’t think I’ve seen any improvement/innovation on product in quite some time.
*Thread Reply:* Agreed @Woody. I've only just started managing it a little under a year ago and it feels a few steps behind other MDMs.
*Thread Reply:* @Rob B I consider it to be a happy medium between some of the more basic ones like Meraki and then the super in-depth offerings like WS1. Just really comes down to your needs and budget.
*Thread Reply:* @Rob B I have a few scripts you can use. It will export to csv and it written in powershell. Let me know which fields you need I got you.
Is there a way to change Cores enable secret via SSH?
Has anyone tested enrollment of an AE device via ZeroTouch for a MI Cloud tenant that is using AzureAD for auth? Trying to determine if MI Go will keep prompting for U/P in a form or if it will redirect to AAD for auth. So far I’ve only seen the former, but wonder if there is a DPC Extra etc that I need to add to make it all work?
*Thread Reply:* Figured this out. I had “server URL” in my ZTE config and that was stopping MI Go from allowing username entry/lookup (and subsequent modern auth for said user).
*Thread Reply:* Hi Woody, can you share the example DPC json that you are using? thanks Gary
*Thread Reply:* @Gary — This was for a customer, so let me see if I can scrub it and send
Is there a way for Android 13 Devices in MI to register the serial under work profile and not work managed
*Thread Reply:* Profile owners don't get access to device identifiers, so not really
What happened to the CORE download page? https://support.mobileiron.com/support/download
*Thread Reply:* https://support.mobileiron.com/support/CDL.html is still working fine
*Thread Reply:* Oh perfect, wrong link saved I guess :)
Intune Partner Compliance with MobileIron Core. Is it possible to add multiple MobileIron Cores to one tenant? Microsoft states there is a limit for one partner per platform, so I guess this is not possible.
*Thread Reply:* Well you can add multiple, as long as each Core only services one platform.
*Thread Reply:* I see.. like Core 1 only iOS and Core 2 only Android. This is not the case. We have 3 Core instances in our company with iOS and Android on every Core.
Can anyone explain what is causing this? We have a lot if devices where W@W brings up the message „not authorised“. User is compliant. AppConnect Policy is applied. W@W feature is globally enabled.
Did the MobileIron Go to Ivanti Go changeover break KnOX KME for anyone else? Guessing the location/name of the APK changed and therefore KNOX can’t access it anymore.
*Thread Reply:* The package name is still the same though, com.mobileiron.anyware.android, from what I see. In the KME configuration, how did you configure the MDM client part?
*Thread Reply:* It appears the package is still available at https://support.mobileiron.com/cloud-android/current/MobileIron-Go-latest.apk
*Thread Reply:* Seems like the app icon/branding is updated in the Play store, but after its installed its still called MobileIron Go with the old blue M icon.
On iOS it still looks like the old name and icon.
Seems kind of odd
*Thread Reply:* Can confirm, it was a coincidence that the Go app was rebranded at the same time my customer had an issue. Turns out theirs was stemming more from lack of licensing in the Samsung Intelligence app. She mentioned she was seeing the new Ivanti Go and that’s what threw me off.
Hey gang — Can anyone remind me, if no check-box is selected on the Core ACLS… does that mean that said service is not exposed/accessible (or is otherwise wide-open for access)?
*Thread Reply:* It is wide open; services are exposed to all. You need to check the box and limit it to the IPs you need to expose it to.
Nice to see MI Cloud gaining support for ChromeOS.
Weird. Only seems to be occurring from my test iPod Touch (7th Gen). Must be an issue with the version of iOS it’s running on (15.7.6). Bumping it up to 15.7.7
@Mark Vonk nah, I tried WiFi and Cellular Hotspot. Behaved the same way on both
The log are showing a 500 error from MobileIron server
Right @Jeremy — Oddly enough it doesn’t throw that same error for iOS 16 devices
Yeah, either MobileIron investigate this, or you keep trying to find the variable that triggers this issue 🕵️♂️
@Jeremy I’m gonna submit a ticket and say a prayer LoL
*Thread Reply:* Did you ever manage to get this fixed?
*Thread Reply:* @Mark Vonk admittedly it stopped occurring for me. Are you still seeing it?
Hi! Do you know if in MIron Core, there is a way to check/change the rate limit of the API Commands that the MDM will accept in 24h or in one hour before it will stop answering any requests? I know Workspace One has a ‘daily quota’ setting parameter, but which one will be the equivalent in MICore and where can we access it?
*Thread Reply:* As far as I know there is no limit, unless you are killing the Core with API requests 😉 in that case you are limited to the resources applied to the Core.
*Thread Reply:* Thank you Mark, that’s the direction that the team was going to, making sure enough CPU will handle a rush of API requests !
I need to change the interal IP addresses and the gateway configured for Core and Sentry. What is the best way to do that? 1.) change the IP address via System Manager 2.) add the new network to the VM
But I guess this won’t work if I change the gateway via System Manager, which will not be possible after I change the IP.
Should I rather change everything via CLI on VM console?
*Thread Reply:* You should do it from the VM console. In order not to get stuck in a loop I would add the VM network first. Then update the IP address and after that change the routes (gateway)
*Thread Reply:* Thanks worked like a charm
We use certificates (SCEP) with Core for our WiFi. Today we have a lot of devices which cannot connect to the WiFi. The WiFi Config has the status „partially applied“ on these devices. What does that mean?
*Thread Reply:* Could be this issue: https://forums.ivanti.com/s/article/EPMM-WiFi-configuration-fails-to-install-on-Android-devices
*Thread Reply:* Are the devices A13? https://mobilxperts.slack.com/archives/C1V8JC31T/p1687943586782749?thread_ts=1687938080.448419&cid=C1V8JC31T
*Thread Reply:* Interesting - thanks guys.
Ivanti have released details of a vulnerability (CVE-2023-25690) in Core 11.9.0.1 and below which allows unauthenticated users to receive responses which could include PII data.
https://www.cve.org/CVERecord?id=CVE-2023-25690
Need to upgrade to Core 11.10.0.1 or manually install a patch. See link for more details.
https://forums.ivanti.com/s/article/EPMM-Security-Concern-with-Server-Response-Leak
*Thread Reply:* In the first sentence of the article they mention that 11.9.0.1 and below is affected. There is also 11.9.1.0. So only 11.10.0.1 includes the fix and 11.9.1.0 is also affected - can anyone confirm this?
*Thread Reply:* From reading the article, 11.9.1.0 is also affected.
If you’re running an affected version, you will need to upgrade to 11.10.0.1 OR manually install the RPM package.
We’ll be installing the RPM, as we never run the latest release.
Good Morning, Is anyone else experiencing issues with the Users Section of the MIC UI. In two occations today my customers can only see the user that is signed in and no others. Is there a bug with the MIC UI?
*Thread Reply:* Hey Peuge, how are you my friend? Hope all is well with you. I am not seeing any issues on NA1. What cluster are you having issues with, NA2? I have not heard of any problems from the customer base, which is mostly on NA2.
I have not touched AAD integration in a while. Looks like there are a lot of changes happening. I have a customer whos users are not syncing to MIC after the AAD integration. Am I missing something. this should happen automagically right?
Email+ on Android Enterprise - is there a way to see the subject from an appointment on the lockscreen? Should this be visible by default? Can anyone confirm this?
So, is everyone busy patching ~MobileIron~ Core ?
*Thread Reply:* We just finished last weeks patching 🙂
*Thread Reply:* (context: https://techcrunch.com/2023/07/25/ivanti-epmm-zero-day-norway-government-breach/)
*Thread Reply:* We just got notified about another one a few minutes ago.
*Thread Reply:* Yes, wonderful (not). https://forums.ivanti.com/s/article/KB-Arbitrary-File-Write-CVE-2023-35081?language=en_US
*Thread Reply:* If I read correctly, this is the privilege escalation step used after the initial exploit patched earlier this week, same customers affected.
*Thread Reply:* Yes, but the k-item also says "CVE-2023-35078 reduces the complexity of executing CVE-2023-35081". So even after patching 35078 customers are still vulnerable voor 35081.
*Thread Reply:* my favorite part is we haven't been able to update our Core as we are getting a "download failed" error when updating.
We used the RPM fix in the interim. But with this new CVE it looks like we actually need the Core update to work correctly. Hopefully this 2nd call with Ivanti support can get it figured out
*Thread Reply:* The gift that keeps on giving 🫣
*Thread Reply:* Those trying to keep up with all the Ivanti exploits CVE-2023-3582 impacts all versions of EPMM/Core. This article has details on the patch https://forums.ivanti.com/s/article/KB-Remote-Unauthenticated-API-Access-Vulnerability-CVE-2023-35082?language=en_US
We want to block iTunes backups on personal devices. We have a couple of terminals in our company where users can start and manage their backups. Am I still up to date that there is a way within the DEP profile to allow certain computers to connect to the devices - what do I need for that? A certificate from our terminal computers? We are on EPMM aka Core
*Thread Reply:* You can block USB to any machine that does not have the Supervision certificates on it.
*Thread Reply:* So I have to create a certificate with the Apple Configurator 2, use that cert within the DEP profile and every computer that has that cert installed is a trusted computer and can sync with the devices. Is that limited to macOS or can Windows also be used?
*Thread Reply:* The supervision certificate may already have been created but if not then yes create one with AC2 (macOS only) then use that on the machines you want to sync with. set the device to only allow sync with supervised devices.
*Thread Reply:* Ok, so create the cert only on macOS because of the AC2, but we can install the cert also on a Windows machine to be a trusted device? Or is this also just macOS?
*Thread Reply:* I am not sure, I know how the process works but I don’t use Windows machines so I have never tried. I would not hold my breath for it to work. Sorry I am not more help.
We are migrating from Exchange on-prem to EXO. I want to switch the exchange configs dynamically once the migration batch is finished and the user was successfully migrated to EXO. I want to create a dynamic label on EPMM(Core) which targets the AD property „msExchRemoteRecipientType“ = 4 Is this the right property or is there a different one - does anyone have experiences with that?
*Thread Reply:* Never used this attribute but I think it should work. I always use the attribute MSExchHomeServerName. If it equals to the on-prem server the mailbox is not migrated yet.
hey yall. Anyon run into issues retiring APPLE iOS 16.6 + 17.x in Ivanti Neurons
We use MobileIron Core with a dynamic label for Android Enterprise enrollment with the Android.afw_capable is true. The Android Enterprise enrollment config enables Work Profile on Managed devices. So currently every Android device will get an Work Profile. Now we need to enroll a couple of Kiosk devices, which of course now will also receive that enrollment config due to the label. What is the best way to exclude the Kiosk devices? I have tried to add the registration status within the existing label - so only add COPE/WPoCOD and Work Profile to the label - but It looks like this breaks my Android enrollment (unsupported mode error) because of the time of the enrollment the device will not have that registration status and lands in the device admin enrollment.
What is the best way to solve this? Use an AD group within the label? I have plenty of COPE/WPoCOD devices, so I cannot remove that label and redesign it.
I'd go AD group for exclusion, though if core supports precedence for labels a newer label with higher precedence may be cleaner.
**Haven't touched core in two years, by all means wait on better advice
We have a couple if Samsung tablets running on Kiosk with MobileIron Core. If the devices will nor be used in some time, they will lose the wifi-connection. Is there a way to prevent that - I guess the power saving mode is the killer. Deactivate it with KSP?
Personally I use custom attributes to differentiate enrollment modes (you can also pass it though qr code/zte)
Our firewall guy told me today that the Firewall marks a lot of traffic from Core and Sentry as highly suspicious. Core is the latest version, but Sentry is still 9.17. Could be that some of the previous exploits compromised our environment. Is there a list which traffic is expected?
Has anyone seen this issue? We remove the MDM profile from an Ivanti enrolled iOS device (Core), but after installing the Company Portal app the error message appears: device still enrolled with MobileIron On-Premise… and we cannot enroll the device. We also have wiped a device, but still the same message. How is this possible?
*Thread Reply:* That should not be possible, if you removed the MDM profile manually or performed a Retire command. Are these ABM devices?
*Thread Reply:* Our Core is offline because of a security incident, so no retire from Core possible. Yes some of these devices are ABM.
*Thread Reply:* What error do you get when Intune tries to implement its MDM profile?
*Thread Reply:* “This device is registered with MobileIron Device Compliance On-prem.”
*Thread Reply:* Oh wait just a minute - this is the partner compliance
*Thread Reply:* Of course - we have registered most of the devices in Azure with the Core Partner Compliance. So we have to remove the devices from Azure I guess.
*Thread Reply:* Intune is also registered with ABM now? If your moving around the ABM profile needs to be intune as well
Open a support ticket. something didn't get cleaned up correctly in the database
*Thread Reply:* You mean the database on Core? If we remove the profile manually on the device and uninstall the Ivanti app, how would a connection to Core be relevant?
Okay -- Admittedly it's been a minute since I've enrolled an AE Work Managed Device (No Work Profile) into MI Cloud/Neurons MDM. Is there something more I need to do in order for the profile to install? Device gets through the Provisioner/QR/6x Tap startup wizard and then just sits there waiting for the profile. Have tested in 2x Ivanti tenants and am receiving the same result.
*Thread Reply:* You need to assign the Android WPCoD configuration, not the Work Managed one
*Thread Reply:* On it. Give me a few and I'll report back.
*Thread Reply:* For Rugged Devices (Honeywell/Zebra) is that applied to the Neurons/local "Service Account" that is created for those type devices?
*Thread Reply:* @Woody did you use user groups?
*Thread Reply:* @Florent N. I can. Presently just assigned directly to my test user
*Thread Reply:* I did not understand your question sorry.
*Thread Reply:* Sorry, it revolves around the use of Honeywell/Zebra scanner devices
*Thread Reply:* Will they also need to have the Android WPCoD assigned?
*Thread Reply:* Obviously going to follow the vendor's documentation/specifications, but at its core they should follow the same approach. Right?
*Thread Reply:* Only if you want work profile on them, if not use the other ae configuration
*Thread Reply:* Work Profile (on a dedicated device) will just be the single profile... with no Work Satchel. Right?
*Thread Reply:* I've tried all the other configs and they result in the same screen-shot I sent at the beginning of this thread
*Thread Reply:* Or is that the stance going forward? That a Work Profile will be on the CoD irregardless
*Thread Reply:* Are you using gms versions of Zebra OSs ?
*Thread Reply:* I'm currently testing on Samsung Hardware. The customer will be responsible for the Zebra side of the house, I'm just mentally prepping so I can educate him
*Thread Reply:* Work Profile is for BYOD
*Thread Reply:* So if I'm doing Company Owned/Dedicated Device... I should be using: Android enterprise: Work Managed Device (Android for Work)
*Thread Reply:* Yes if you don't want a work profile on them
*Thread Reply:* @Florent N. is it possible to install the Android enterprise: Work Managed Device (Android for Work) profile by using the 6x taps? Or does it need to come through ZTE/KME to have that flag set?
*Thread Reply:* It appears to still be a Android Work Managed Device, but I can't get that profile to push.
*Thread Reply:* Interesting. I got it to install, but had to reboot the device first
*Thread Reply:* It can take time sometimes
*Thread Reply:* Okay, closure here. There's something up with Android 9 phones and the 6x Tap (QR code from Ivanti Provisioner) into Device Owner/CoD mode. They come through fine with KNOX KME, but don't provision properly using the taps. I tried the 6x tap with my S8 Tablet (Android 14) and it came right through. Guess it's about time to finally retire the old fleet of Android 9 units.
*Thread Reply:* @Florent N. Even more closure: The phone I was testing with (I have two identical A10e units) isn’t registering its AE attributes correctly with Ivanti, therefore it isn’t added to the Android Enterprise group (and isn’t entitled to the profiles). I tested several times with my S8 Tablet and achieved success every time. Definitely time to retire these older units.
https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities Just keeps givin’
@Toby Sansome has joined the channel
Anybody ever see a user who unenrolls from Ivanti Neurons, but Apps@Work stick and its still non-removable? Feel like I remember this happening once before to me with Maas360 and their apps store long ago but couldn't remember the fix.
I am looking for an integration guide for Ivanti Mobile Threat Defense with EPMM (aka Core) but I can only find the integration guide for Neurons (Cloud). Is EPMM not supported anymore?
*Thread Reply:* @Mikey2000 it hasnt really changed in a while it seems, especially as they are now pushing Lookout as the replacement to Ivanti MTD https://help.ivanti.com/mi/help/en_us/mtd/11.x/gdco/Content/LandingPage.htm
*Thread Reply:* Oooh that's an extremely spicy question for Ivanti these days hahahah
Are there currently any know issues with Samsung devices and email sync? I have more and more devices stopping email sync (Email+) after 24 hours. During the setup everything works fine, but after like 24 hours the sync stops. ActiveSync entry is still allow (EPMM). If I delete the entry, no new entry will be created.
*Thread Reply:* We had that issue before and it was supposedly a known one that was worked out a while back. I think a year ago.
Haven't heard about it popping up again though. https://forums.ivanti.com/s/article/Email-and-gmail-randomly-fail-to-sync-on-Android-OS-13-devices?language=en_US
@Aitor Gonzalez has joined the channel
@Leandro Nomid EMM has joined the channel
Hello, anyone knows where to find Core GMRC doc?
Hello everyone, does anyone find a solution to set wallpaper on Zebra devices enrolled in Ivanti EPMM in aosp mode? It seems that OEM config does not work in this mode. I tried to find an intent for that but cannot find any.
*Thread Reply:* Almost 100% of Zebra devices I deploy and manage have a custom lockdown applied from the MDM and therefore the base wallpaper is never displayed to the end user. Are these devices not locked down?
*Thread Reply:* Also curious and a bit confused by what you mean by AOSP mode. All Zebra devices that have shipped since basically the WT6000 and TC8000 have been GMS with the exception of China based AOSP skus
*Thread Reply:* OEMConfig itself is an Android Enterprise feature typically deployed through Managed Play. If your devices are AOSP then OEMConfig may not be an option unless you EMM can handle “offline” managed configurations
*Thread Reply:* On AOSP Mode on EPMM/Core you can use OEMConfig apps as well.
You just need to upload OEMConfig app as in-house, and you will see Managed Config inside.
The limitation is that same server won’t be able to deploy in-house (for AOSP) and public (for any other AE mode) version of same app, so if you are using same EPMM server, you just can do one or the other.
Now, On EPMM you can still push XML configs from StageNow to Zebra devices, regardless if they are AOSP or regular AE.
If StageNow meets your needs, I’d go this way instead of thru OEMConfig.
Hope it can help,
*Thread Reply:* I used Android devices usings AOSP/closed network. I need to change the wallpaper and lockscreen wallpaper. My config os never push and I have to trigger oem config change intent using adb but my config is never pushed. However, other app received the configuration.
*Thread Reply:* When you say your config, which one do you mean?.
A XML you created on StageNow and uploaded to EPMM, then pushed to AOSP devices?
A Wallpaper config for DO mode created on EPMM and pushed to devices?.
A configuration created within in-house Zebra OEMConfig app and sent to AOSP devices?.
Which one?
*Thread Reply:* If EPMM native wallpaper config is not working, I’d try creating XML on SN and pushing it to devices.
*Thread Reply:* If you only have AOSP devices managed on this EPMM server, you can try uploading OEMConfig app as in-house, and remember to upload any app update manually, but if you also manage regular AE devices, better going with XML way
*Thread Reply:* I mean Zebra OEM config managed config (no status in app)
*Thread Reply:* I wanted to try using oeam config to use file transfer instead of remote server as variable cannot be used in xml config
*Thread Reply:* Umm, weird that it’s not being pushed.
*Thread Reply:* Yeah, I had to trigger config change using adb to see a last update timestamp in app but still no status
*Thread Reply:* I tested this on Samsung and worked but I have no Zebra devices to test
*Thread Reply:* Wallpaper config is not applied at all (not visible)
*Thread Reply:* Got it.
You should open a support ticket then as I’ve mentioned, same in-house OEMConfig approach worked with other vendors on AOSP mode.
*Thread Reply:* Thanks for your help, I will do it then.
*Thread Reply:* Try with a Samsung device to compare, or any other one you may have that also has OEMConfig app. Registered as AOSP for sure.
*Thread Reply:* I will try on Samsung and see if it works. And maybe with legacy Zebra OEM config
*Thread Reply:* Guessing there was a Russian developer involved in the app at some point.
*Thread Reply:* It's funny to see dev history in some little things, there is something similar with One Drive app
There are three new CVEs on EPMM, fortunately a little less critical: https://forums.ivanti.com/s/article/KB-Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-May-2024?language=en_US
@Nesrin Kalender has joined the channel